1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP RARLAB WinRAR LHA Filename BO

HTTP RARLAB WinRAR LHA Filename BO

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects an attempt to exploit a buffer overflow vulnerability in WinRAR which may result in remote code execution.

Additional Information

RARLAB WinRAR is a compression utility capable of reading and writing files using several different archival formats. It is available for the Microsoft Windows operating system.

WinRAR is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

The vulnerable code in WinRAR is responsible for handling LHA archives. The code concatenates filenames of up to 252 bytes with directory names of up to 1020 bytes into a buffer of only 255 bytes without bounds-checking the copy operation. This occurs in the 'lzh.fmt' file.

This vulnerability allows attackers to execute arbitrary machine code in the context of the affected application.

Versions of WinRAR from 3.0 to 3.60 beta 6 are vulnerable to this issue.

Affected

  • RARLAB WinRar 3.60 beta 7, 3.0, 3.0.0, 3.10, 3.10 beta 3, 3.10 beta 5, 3.11, 3.20, 3.30, 3.40, 3.41, 3.42, 3.50, 3.51, 3.60 beta 1, 3.60 beta 2, 3.60 beta 3, 3.60 beta 4, 3.60 beta 5, 3.60 beta 6

Response

Download and install all vendor patches related to this issue.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube