These force WinRAR to parse the “broken archive” and also set default passwords (“-p” for password and “-kb” for keep broken extracted files). Fuzz the program with WinAFL using WinRAR command line switches.
Use a giant corpus from an interesting piece of research conducted around 2005 by the University of Oulu.There are some message boxes that pop up even in CLI mode of WinRAR. This is also done by patching the WinRAR executable. Eliminate GUI elements such as message boxes and dialogs which require user interaction.This is done by patching the WinRAR executable. Creation of an internal harness inside the WinRAR main function which enables us to fuzz any archive type, without stitching a specific harness for each format.These are the steps taken to start fuzzing WinRAR: WinRAR is a trialware file archiver utility for Windows which can create and view archives in RAR or ZIP file formats and unpack numerous archive file formats.Īccording to the WinRAR website, over 500 million users worldwide make WinRAR the world’s most popular compression tool today.įigure 2: WinRAR GUI. Perhaps it’s also worth mentioning that a substantial amount of money in various bug bounty programs is offered for these types of vulnerabilities.įigure 1: Zerodium tweet on purchasing WinRAR vulnerability. From this point on it was simple to leverage this vulnerability to a remote code execution. After researching this behavior, we found a logical bug: Absolute Path Traversal. However, the fuzzer produced a test case with “weird” behavior. We turned our focus and fuzzer to this “low hanging fruit” dll, and looked for a memory corruption bug that would hopefully lead to Remote Code Execution. One of the crashes produced by the fuzzer led us to an old, dated dynamic link library (dll) that was compiled back in 2006 without a protection mechanism (like ASLR, DEP, etc.) and is used by WinRAR. After the good results we got from our Adobe Research, we decided to expand our fuzzing efforts and started to fuzz WinRAR too. BackgroundĪ few months ago, our team built a multi-processor fuzzing lab and started to fuzz binaries for Windows environments using the WinAFL fuzzer. The exploit works by just extracting an archive, and puts over 500 million users at risk. This vulnerability has existed for over 19 years(!) and forced WinRAR to completely drop support for the vulnerable format. In this article, we tell the story of how we found a logical bug using the WinAFL fuzzer and exploited it in WinRAR to gain full control over a victim’s computer.
0 kommentar(er)
