Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
unrar-free suffers from a stack overflow vulnerability because of a fixed size buffer when compiled with debug options.
unrar-lib.c
........ LINE 42
#define _DEBUG_LOG 1
#ifdef _DEBUG_LOG /* define macros for debugging */
..........
A fixed size buffer is allocated for the DebugMsg
#ifdef _DEBUG_LOG
char DebugMsg[500]; /* used to compose debug msg */
#endif
........
The sprintf function will format the string with our controlled input and if the size is more then 500 there will happen a stack overflow
#ifdef _DEBUG_LOG
sprintf (DebugMsg, "Extracting \"%s\" from \"%s\" (password is \"%s\")...", filename, (char *) rarfile, libpassword ? libpassword : "");
debug_log (DebugMsg);
#endif
........
There are multiple ways to trigger the stack overflow like from the filename (there is a limit of 255 chars because of the file system) , path and the more relaible
is from the password input.
gdb-peda$ run
Starting program: /usr/local/bin/unrar -x archive.rar -p
Password: INPUT HERE A STRING LARGER THEN 500
unrar 0.0.1 Copyright (C) 2004 Ben Asselstine, Jeroen Dekkers
Extracting from /home/fuzzer/fuzz-sessions/rar/i/archive.rar
file header broken
*** buffer overflow detected ***: /usr/local/bin/unrar terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff7a847e5]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff7b2611c]
/lib/x86_64-linux-gnu/libc.so.6(+0x117120)[0x7ffff7b24120]
/lib/x86_64-linux-gnu/libc.so.6(+0x116689)[0x7ffff7b23689]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0x80)[0x7ffff7a886b0]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x139b)[0x7ffff7a5b50b]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x7ffff7b23714]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7ffff7b2366d]
/usr/local/bin/unrar[0x40f6cd]
/usr/local/bin/unrar[0x404f47]
/usr/local/bin/unrar[0x406383]
/usr/local/bin/unrar[0x401f57]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff7a2d830]
/usr/local/bin/unrar[0x401f89]
======= Memory map: ========
00400000-00413000 r-xp 00000000 fc:00 13209 /usr/local/bin/unrar
00612000-00613000 r--p 00012000 fc:00 13209 /usr/local/bin/unrar
00613000-00614000 rw-p 00013000 fc:00 13209 /usr/local/bin/unrar
00614000-0063a000 rw-p 00000000 00:00 0 [heap]