Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitpackGoogle Security ResearchEXPLOITPACK:BB431218AB084EB07BC1671AEC3E6AC7
HistoryDec 10, 2015 - 12:00 a.m.

Rar - CmdExtract::UnstoreFile Integer Truncation Memory Corruption

2015-12-1000:00:00
Google Security Research
7
JSON

Rar - CmdExtract::UnstoreFile Integer Truncation Memory Corruption

Source: https://code.google.com/p/google-security-research/issues/detail?id=550

The attached file crashes in CmdExtract::UnstoreFile because the signed int64 DestUnpSize is truncated to an unsigned 32bit integer. Perhaps CmdExtract::ExtractCurrentFile should sanity check Arc.FileHead.UnpSize early.

I observed this crash in Avast Antivirus, but the origin of the code appears to be the unrar source distribution. I imagine many other antiviruses will be affected, and presumably WinRAR and other archivers.

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38930.zip
JSON