• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   WinRar 0-day exploit for versions less than 3.50

WinRar 0-day exploit for versions less than 3.50

  • Posted on:October 18, 2005 at 11:42 am
  • Posted in:Bad Sites
  • Author:
    JJ Reyes (Advanced Threats Researcher)
0

We’ve just gotten hold of an exploit for
WinRar and we’ve tested/created our own POC (based on the original
one) and yes, it works (tested on WinXPSp2, Winrar v.3.41).

How it works

The POC works by submitting a loong string (~530 bytes) as an
argument to WinRar.exe. WinRar crashes on this, we get our buffer
overflow, we have the EIP, and we now control the WinRar
process.

Malware effect

Joey and I had a discussion on how a malware can use this. Because
the buffer is supplied as an argument, this means that the buffer
IS the filename of the file to be opened.
  • c:test.exe [long string].rar

And, the maximum number of characters in a filename is limited to
~255-260 (depending on the OS); our buffer is greater than that so
hmmm…


Any thoughts on how a malware can use this as a
propagation/installation method? Meanwhile, joey and i are doing
other tests to see if and how a malware can use this as a
propagation method. And of course, we will update this entry later.
Stay tuned.


Update
After more discussions and a test, we think
that this cannot be used for eveeeel purposes. We tried creating a
test script on a webpage, wherein a link is offered for download.
Once the link is clicked, the name that we give on the script is
the LONG string with a RAR extension. The idea is, if the user
decides to open the RAR (via the link), the exploit gets
executed.


Well, it didn’t work either. Tested on both IE and FireFox. Windows
truncates the filename to the allowable number of characters. Oh
well. This can be a nice tutorial for buffer overflow lessons
though hehehe. Anyway, if anyone has any ideas, do tell
hehehe.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.