March 2008

Vulnerability Research in Archive Formats

Version Information

-------------------

Advisory Reference CERT-FI: 20469

CPNI: 072928

CERT/CC: VU#813451

Release Date 17 March 2008 12:00 UTC

Last Revision 3 March 2008

Version Number 0.5

Acknowledgement

---------------

The Test Suite was provided by the Oulu University Secure Programming Group (OUSPG) at the University of Oulu in Finland.

What is Affected?

-----------------

The vulnerabilities described in this advisory can potentially affect programs that handle the archive formats ACE, ARJ, BZ2, CAB, GZ, LHA, RAR, TAR, ZIP and ZOO.

The Test Suite contains a set of fuzzed archive files in different formats, some of which may cause and some that are known to cause problems in common tools processing archived content. These include:

* Content inspection products such as anti-virus and stateful firewalls

* Encryption products (VPN, PGP)

* Backup software

* Office programs

* Operating systems and libraries

Impact

------

The impact of this research varies by vendor. Please see the 'Vendor Information'

section below for further information. Alternatively, contact your vendor for product specific information.

The impact from vulnerabilities identified as part of this research, can potentially expose Denial-of-Service (DoS) and/or buffer overflow conditions. In some cases, it may even be possible for an attacker to execute code on the affected system.

Severity

--------

The severity of this research varies by vendor. Please see the 'Vendor Information'

section below for further information. Alternatively, contact your vendor for product specific information.

Summary

-------

The University of Oulu Security Programming Group (OUSPG) has been working on a piece of research, known as the PROTOS Genome Project (GENOME), since January 2005. The objective of GENOME was an attempt to test the implementations of arbitrary, possibly unknown, protocols by using model assisted fuzzing to generate test materials.

As part of GENOME, OUSPG began looking at archive formats. These formats are typically used to archive files and directories and compress them into smaller, compact packages that can then be stored or transmitted via various media in a convenient and economical manner.

During the initial research on archive formats, OUSPG identified that most implementations evaluated failed to perform in a robust manner. Some failures had security implications and hence should be identified as vulnerabilities.

In order to ensure products that support these formats are robust to any vulnerabilities that may be discovered as part of this research, the Test Suite was made available to multiple vendors so that they could use it to test their implementations.

Details

--------

Archive formats are typically used to perform one of the following functions:

(1) To hold one or more archived files. Most archive formats are also capable of storing folders in order to reconstruct the file/folder relationship when extracted.

(2) To compress one or more files and folders into a single file for backup or transport.

These formats, which includes extensions such as ACE, ARJ, BZ2, CAB, GZ, LHA, RAR, TAR, ZIP and ZOO, are usually platform-independent and are supported by a variety of implementations, including many anti-virus products.

It is for this reason that archive formats were chosen as the subject of further investigation as part of PROTOS GENOME. In this approach, a set of valid files is first collected, then a program is used to analyse the structure of these files, yielding a rough model of the underlying file format. This model is then used to generate similar files, which often have modifications that would be extremely unlikely to appear in a valid file.

Usually programs should simply report that the files are invalid and resume operation in a controlled manner. However behaviour such as program termination, altered behaviour and infinite loops can indicate unintentional, and in many cases, exploitable errors.

Mitigation

----------

Please refer to the 'Vendor Information' section of this advisory for platform specific mitigation.

Solution

--------

Please refer to the 'Vendor Information' section of this advisory for platform specific remediation.

References

----------

TBA

Vendor Information

------------------

-----------------

Aladdin

No statement at this time

Apple

Our tests did not indicate any problems in Apple software running the test cases provided.

bzip2

One test case has been found to cause problems with bzip2. It has been fixed in version 1.0.5.

Citrix

No statement at this time

F-Secure

No statement at this time

Gfi

No statement at this time

Microsoft

No statement at this time

Oracle

No statement at this time

RARLAB

Potential problems were found in WinRAR 3.70 code for almost all formats included in the test suite except ZOO, which is not supported by WinRAR.

RARLAB did not investigate exploitability and severity of found problems.

All potential problems were fixed regardless of their severity. All these fixes were included in WinRAR 3.71.

S60Zip

S60Zip uses the API provided by the platform to decompress .zip files.

Secgo

No statement at this time

Symantec

We have done extensive testing against your test suite. We have verified that none of our products are vulnerable.

Credits

-------

CERT-FI and the CPNI Vulnerability Team would like to thank OUSPG for making the Test Suite available to vendors.

CERT-FI and the CPNI Vulnerability Team would also like to thank the vendors for their co-operation and to JPCERT/CC for co-ordinating this issue in Japan.

Contact Information

-------------------

CERT-FI Vulnerability Coordination can be contacted as follows:

Email vulncoord@ficora.fi

Please quote the advisory reference in the subject line

Telephone +358 9 6966 510

Monday - Friday 08:00 - 16:15 (EET: UTC+2)

Fax +358 9 6966 515

Post Vulnerability Coordination

FICORA/CERT-FI

P.O. Box 313

FI-00181 Helsinki

FINLAND

CERT-FI encourages those who wish to communicate via email to make use of our PGP key.

The CPNI Vulnerability Management Team can be contacted as follows:

Email VulTeam@cpni.gsi.gov.uk

Please quote the advisory reference in the subject line

Telephone +44 (0)870 487 0748 Ext 4511

Monday - Friday 08:30 - 17:00

Fax +44 (0)870 487 0749

Post Vulnerability Management Team

CPNI

PO Box 60628

London

SW1P 1HA

Please note that UK government protectively marked material should not be sent to the email address above.

If you wish to be added to our email distribution list please email your request to infosec@cpni.gov.uk.

What are CPNI and CERT-FI?

--------------------------