7-Zip: Multiple Memory Corruptions via RAR and ZIP

[straycat19]

In my previous posts about the two Bitdefender bugs related to 7z, I explicitly mentioned that Igor Pavlov’s 7-Zip reference implementation was not affected. Unfortunately, I cannot do the same for the bugs described in this blog post.

 

I found these bugs during the analysis of a prominent antivirus product. As the vendor has not yet published a patch I will add the name of the affected product in an update to this post as soon as this happens. Since Igor Pavlov has already published a patched version of 7-Zip and exploitation is likely to be easier for 7-Zip, I figured it would be best to publish this post as soon as possible.

 

Introduction

In the following, I will outline two bugs that affect 7-Zip before version 18.00 as well as p7zip. The first one (RAR PPMd) is the more critical and the more involved one. The second one (ZIP Shrink) seems to be less critical, but also much easier to understand.

Memory Corruptions via RAR PPMd (CVE-2018-5996)

7-Zip’s RAR code is mostly based on a recent UnRAR version. For version 3 of the RAR format, PPMd can be used, which is an implementation of the PPMII compression algorithm by Dmitry Shkarin. If you want to learn more about the details of PPMd and PPMII, I’d recommend Shkarin’s paper PPM: one step to practicality¹.

 

Interestingly, the 7z archive format can be used with PPMd as well, and 7-Zip uses the same code that is used for RAR3. As a matter of fact, this is the very PPMd implementation that was used by Bitdefender in a way that caused a stack based buffer overflow.

 

In essence, this bug is due to improper exception handling in 7-Zip’s RAR3 handler. In particular, one might argue that it is not a bug in the PPMd code itself or in UnRAR’s extraction code.

 

 

The outlined heap and stack memory corruptions are only scratching the surface of possible exploitation paths. Most likely there are many other and possibly even neater ways of causing memory corruptions in an attacker controlled fashion.

 

This bug demonstrates again how difficult it can be to integrate external code into an existing code base. In particular, handling exceptions correctly and understanding the control flow they induce can be challenging.

 

In the post about Bitdefender’s PPMd stack buffer overflow, I already made clear that the PPMd code is very fragile. A slight misuse of its API, or a tiny mistake while integrating it into another code base may lead to multiple dangerous memory corruptions.

 

If you use Shkarin’s PPMd implementation, I would strongly recommend you to harden it by adding out of bound checks wherever possible, and to make sure the basic model invariants always hold. Moreover, in case exceptions are used, one could add an additional error flag to the model that is set to true before updating the model, and only set to false after the update has been successfully completed. This should significantly mitigate the danger of corrupting the model state.
 

Programmers Can Read Much More In This Long Article

[DKT27]

Topic moved to Security and Privacy News. As this being a software's security vulnerability related issue, it suits better here.

[Karlston]

Multiple vulnerabilities in 7-Zip. Get it updated now!

The venerable, now vulnerable, zipping/unzipping utility 7-Zip needs your attention. Here’s how to see if you have a bad version, and what to do about it.

Thinkstock

Late last year, landave, a self-described “Computer Science student enjoying cryptography, reverse engineering, and other information security topics,” discovered two startling security holes in 7-Zip, a free zip program I’ve recommended for years.

 

Bottom line: If you haven’t updated 7-Zip in the past few days, get off your tail and do it now.

 

The bugs are subtle and, as best as I can tell, have never been leveraged in the wild. But that’s going to change as landave’s analysis reaches the mainstream.

 

Details of the bugs have to do with 7-Zip memory corruption, made worse by not running ASLR and DEP, and a heap buffer overflow in the shrink routine. Landave applied for, and received, a MITRE number for the latter, CVE-2017-17969.

 

There’s been a lot of back and forth about the bugs, but the upshot is that 7-Zip’s creator, Igor Pavlov, released a new version of 7-Zip, version 18.01, on Jan. 28. That's the version you need.

 

If you use 7-Zip, you can see which version you’re running by starting 7-Zip and clicking on Help > About 7-Zip. If you have a version prior to 18.01, get the new one. Now.

 

Updating 7-Zip couldn’t be simpler.

 

Step 1. Go to the official 7-Zip page and click the link to download either the 32-bit or 64-bit version.

 

Step 2. Right-click on the 7z1801-x64.exe file, and choose Run as administrator. If you get a “Windows protected your PC” message from SmartScreen, mutter an appropriate epithet, click the link for "More information," then click "Run anyway."

 

Step 3. Click yes on the User Account Control prompt, choose a destination folder, let the installer run, and reboot your computer.

 

7-Zip has a lot of good features. Don’t let it bite you.

 

Thx to Günter Born

 

(P.S. Not sure where landave goes to school, but he just published a PhD-worthy dissertation.)

 

Join us for one-year birthday libations on the AskWoody Lounge.

 

Source: Multiple vulnerabilities in 7-Zip. Get it updated now! (Computerworld - Woody Leonhard)