These are the steps taken to start fuzzing WinRAR: WinRAR is a trialware file archiver utility for Windows which can create and view archives in RAR or ZIP file formats and unpack numerous archive file formats.Īccording to the WinRAR website, over 500 million users worldwide make WinRAR the world’s most popular compression tool today.įigure 2: WinRAR GUI. Perhaps it’s also worth mentioning that a substantial amount of money in various bug bounty programs is offered for these types of vulnerabilities.įigure 1: Zerodium tweet on purchasing WinRAR vulnerability. From this point on it was simple to leverage this vulnerability to a remote code execution. After researching this behavior, we found a logical bug: Absolute Path Traversal. However, the fuzzer produced a test case with “weird” behavior. We turned our focus and fuzzer to this “low hanging fruit” dll, and looked for a memory corruption bug that would hopefully lead to Remote Code Execution. One of the crashes produced by the fuzzer led us to an old, dated dynamic link library (dll) that was compiled back in 2006 without a protection mechanism (like ASLR, DEP, etc.) and is used by WinRAR. After the good results we got from our Adobe Research, we decided to expand our fuzzing efforts and started to fuzz WinRAR too.
BackgroundĪ few months ago, our team built a multi-processor fuzzing lab and started to fuzz binaries for Windows environments using the WinAFL fuzzer. The exploit works by just extracting an archive, and puts over 500 million users at risk. This vulnerability has existed for over 19 years(!) and forced WinRAR to completely drop support for the vulnerable format. In this article, we tell the story of how we found a logical bug using the WinAFL fuzzer and exploited it in WinRAR to gain full control over a victim’s computer.
0 kommentar(er)
