Unrar suffer from a local stack buffer overflow vulnerability. Script used was developed to bypass non-executing stack patches. [ tux ~/Programming/C/Exploitation ] $ ./unrarexplt.pl [*]Looking for jmp *%esp gadget... [+]Jump to $esp found! (0x) [+]Now exploiting... *** buffer overflow detected ***: /usr/bin/unrar terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7fbde74c37e7] /lib64/libc.so.6(+0xeb600)[0x7fbde74c1600] /lib64/libc.so.6(+0xea979)[0x7fbde74c0979] /lib64/libc.so.6(_IO_default_xsputn+0x85)[0x7fbde7446f75] /lib64/libc.so.6(_IO_vfprintf+0x1bf3)[0x7fbde741a3a3] /lib64/libc.so.6(__vsprintf_chk+0x9d)[0x7fbde74c0a1d] /usr/bin/unrar[0x40d6eb] /usr/bin/unrar[0x42023b] /usr/bin/unrar[0x421107] /usr/bin/unrar[0x422779] /usr/bin/unrar[0x4029be] /lib64/libc.so.6(__libc_start_main+0xfd)[0x7fbde73f4ebd] /usr/bin/unrar[0x402879] ======= Memory map: ======== 00400000-0042f000 r-xp 00000000 08:05 4572956 /usr/bin/unrar 0062f000-00630000 r--p 0002f000 08:05 4572956 /usr/bin/unrar 00630000-00631000 rw-p 00030000 08:05 4572956 /usr/bin/unrar 00631000-00643000 rw-p 00000000 00:00 0 006c0000-006e1000 rw-p 00000000 00:00 0 [heap] 7fbde7153000-7fbde71d5000 r-xp 00000000 08:05 5620216 /lib64/libm-2.13.so 7fbde71d5000-7fbde73d4000 ---p 00082000 08:05 5620216 /lib64/libm-2.13.so 7fbde73d4000-7fbde73d5000 r--p 00081000 08:05 5620216 /lib64/libm-2.13.so 7fbde73d5000-7fbde73d6000 rw-p 00082000 08:05 5620216 /lib64/libm-2.13.so 7fbde73d6000-7fbde7559000 r-xp 00000000 08:05 5620246 /lib64/libc-2.13.so 7fbde7559000-7fbde7758000 ---p 00183000 08:05 5620246 /lib64/libc-2.13.so 7fbde7758000-7fbde775c000 r--p 00182000 08:05 5620246 /lib64/libc-2.13.so 7fbde775c000-7fbde775d000 rw-p 00186000 08:05 5620246 /lib64/libc-2.13.so 7fbde775d000-7fbde7762000 rw-p 00000000 00:00 0 7fbde7762000-7fbde7777000 r-xp 00000000 08:05 8290419 /lib64/libgcc_s.so.1 7fbde7777000-7fbde7976000 ---p 00015000 08:05 8290419 /lib64/libgcc_s.so.1 7fbde7976000-7fbde7977000 r--p 00014000 08:05 8290419 /lib64/libgcc_s.so.1 7fbde7977000-7fbde7978000 rw-p 00015000 08:05 8290419 /lib64/libgcc_s.so.1 7fbde7978000-7fbde7a63000 r-xp 00000000 08:05 5415969 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.5.3/libstdc++.so.6.0.14 7fbde7a63000-7fbde7c63000 ---p 000eb000 08:05 5415969 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.5.3/libstdc++.so.6.0.14 7fbde7c63000-7fbde7c6b000 r--p 000eb000 08:05 5415969 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.5.3/libstdc++.so.6.0.14 7fbde7c6b000-7fbde7c6d000 rw-p 000f3000 08:05 5415969 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.5.3/libstdc++.so.6.0.14 7fbde7c6d000-7fbde7c82000 rw-p 00000000 00:00 0 7fbde7c82000-7fbde7ca1000 r-xp 00000000 08:05 5620206 /lib64/ld-2.13.so 7fbde7e70000-7fbde7e75000 rw-p 00000000 00:00 0 7fbde7ea0000-7fbde7ea1000 rw-p 00000000 00:00 0 7fbde7ea1000-7fbde7ea2000 r--p 0001f000 08:05 5620206 /lib64/ld-2.13.so 7fbde7ea2000-7fbde7ea3000 rw-p 00020000 08:05 5620206 /lib64/ld-2.13.so 7fbde7ea3000-7fbde7ea4000 rw-p 00000000 00:00 0 7ffffed1b000-7ffffed3d000 rw-p 00000000 00:00 0 [stack] 7ffffedff000-7ffffee00000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted [ tux ~/Programming/C/Exploitation ] $ unrar --version UNRAR 4.00 freeware Copyright (c) 1993-2011 Alexander Roshal The exploit created targeted unrar <= v3.93, but it seems like it works on 4.0 too. Reproducible: Always
The OP is incorrect stating that the "[s]cript used was developed to bypass non-executing stack patches" in fact the script states: "It was not developped to bypass non-executing stack patches". I wasn't able to reproduce this with app-arch/unrar-4.1.4-r2 on a non-hardened system using sys-kernel/gentoo-sources-3.2.12 with CONFIG_CC_STACKPROTECTOR=n. There are no-comments on packetstorm, nor can I see any reference to it elsewhere. If gentoo-security want more details I can provide, but I think this may now be obsolete, or ficticious.
I'm also unable to reproduce this with unrar-4.2.2. I don't think this problem applies to any of our app-arch/unrar pkgs.
