CERT-FI and CPNI Joint Vulnerability Advisory on Archive Formats
Vulnerability Research in Archive Formats
Version Information
Advisory Reference CERT-FI: 20469
CPNI: 072928
CERT/CC: VU#813451
Release Date 17 March 2008 12:00 UTC
Last Revision 6 August 2009
Version Number 1.3
CVEs:
Acknowledgement
The Test Suite was provided by the Oulu University Secure Programming Group (OUSPG) at
the University of Oulu in Finland.
What is Affected?
The vulnerabilities described in this advisory can potentially affect programs that handle
the archive formats ACE, ARJ, BZ2, CAB, GZ, LHA, RAR, TAR, ZIP and ZOO.
The Test Suite contains a set of fuzzed archive files in different formats, some of which
may cause and some that are known to cause problems in common tools processing archived
content. These include:
* Content inspection products such as anti-virus and stateful firewalls
* Encryption products (VPN, PGP)
* Backup software
* Office programs
* Operating systems and libraries
Impact
The impact of this research varies by vendor. Please see the 'Vendor Information'
section below for further information. Alternatively, contact your vendor for product
specific information.
The impact from vulnerabilities identified as part of this research, can potentially
expose Denial-of-Service (DoS) and/or buffer overflow conditions. In some cases, it may
even be possible for an attacker to execute code on the affected system.
Severity
The severity of this research varies by vendor. Please see the 'Vendor Information'
section below for further information. Alternatively, contact your vendor for product
specific information.
Summary
The University of Oulu Security Programming Group (OUSPG) has been working on a piece of
research, known as the PROTOS Genome Project (GENOME), since January 2005. The objective
of GENOME was an attempt to test the implementations of arbitrary, possibly unknown,
protocols by using model assisted fuzzing to generate test materials.
As part of GENOME, OUSPG began looking at archive formats. These formats are typically
used to archive files and directories and compress them into smaller, compact packages
that can then be stored or transmitted via various media in a convenient and economical
manner.
During the initial research on archive formats, OUSPG identified that most
implementations evaluated failed to perform in a robust manner. Some failures had security
implications and hence should be identified as vulnerabilities.
In order to ensure products that support these formats are robust to any vulnerabilities
that may be discovered as part of this research, the Test Suite was made available to
multiple vendors so that they could use it to test their implementations.
Details
Archive formats are typically used to perform one of the following functions:
(1) To hold one or more archived files. Most archive formats are also capable of storing
folders in order to reconstruct the file/folder relationship when extracted.
(2) To compress one or more files and folders into a single file for backup or transport.
These formats, which includes extensions such as ACE, ARJ, BZ2, CAB, GZ, LHA, RAR, TAR, ZIP
and ZOO, are usually platform-independent and are supported by a variety of implementations,
including many anti-virus products.
It is for this reason that archive formats were chosen as the subject of further
investigation as part of PROTOS GENOME. In this approach, a set of valid files is first
collected, then a program is used to analyse the structure of these files, yielding a rough
model of the underlying file format. This model is then used to generate similar
files, which often have modifications that would be extremely unlikely to appear in a
valid file.
Usually programs should simply report that the files are invalid and resume operation in a
controlled manner. However behaviour such as program termination, altered behaviour and
infinite loops can indicate unintentional, and in many cases, exploitable errors.
The test material can be found at the following URL:
http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/
Mitigation
Please refer to the 'Vendor Information' section of this advisory for platform specific
mitigation.
Solution
Please refer to the 'Vendor Information' section of this advisory for platform specific
remediation.
Vendor Information
Vendor Statements
Aladdin
No statement at this time
Apple
Our tests did not indicate any problems in Apple software running the test cases provided.
bzip2
One test case has been found to cause problems with bzip2. It has been fixed in version 1.0.5.
Citrix
No statement at this time
F-Secure
Several products from F-Secure Corporation are vulnerability to the issue described in CERT-FI: 20469, CPNI: 072928, CERT/CC: VU#813451. Patches for the vulnerability have been published, and distributed automatically to end-users for all products that support automatic patching. More information about potential impact, affected products and available patches can be found in the advisory FSC-2008-2 located at http://www.f-secure.com/security/fsc-2008-2.shtml.
Gfi
No statement at this time
Microsoft
No statement at this time
Oracle
No statement at this time
RARLAB
Potential problems were found in WinRAR 3.70 code for almost all formats included in the test suite except ZOO, which is not supported by WinRAR. RARLAB did not investigate exploitability and severity of found problems. All potential problems were fixed regardless of their severity. All these fixes were included in WinRAR 3.71.
S60Zip
S60Zip uses the API provided by the platform to decompress .zip files.
Secgo
No statement at this time
Symantec
We have done extensive testing against your test suite. We have verified that none of our products are vulnerable.
Credits
CERT-FI and the CPNI Vulnerability Team would like to thank OUSPG for making the Test Suite available to vendors.
CERT-FI and the CPNI Vulnerability Team would also like to thank the vendors for their co-operation and to JPCERT/CC for co-ordinating this issue in Japan.
Contact Information
CERT-FI Vulnerability Coordination can be contacted as follows:
Email:
vulncoord@ficora.fi
Please quote the advisory reference in the subject line
Telephone:
+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)
Fax :
+358 9 6966 515
Post:
Vulnerability Coordination
FICORA/CERT-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND
CERT-FI encourages those who wish to communicate via email to make use of our PGP key. The key is available at https://www.cert.fi/en/activities/contact/pgp-keys.html
The CPNI Vulnerability Management Team can be contacted as follows:
Email:
VulTeam@cpni.gsi.gov.uk
Please quote the advisory reference in the subject line
Telephone :
+44 (0)870 487 0748 Ext 4511
Monday - Friday 08:30 - 17:00
Fax:
+44 (0)870 487 0749
Post:
Vulnerability Management Team
CPNI
PO Box 60628
London
SW1P 1HA
We encourage those who wish to communicate via email to make use of our PGP key. The key is available at http://www.cpni.gov.uk/key.aspx.
Please note that UK government protectively marked material should not be sent to the email address above.
If you wish to be added to our email distribution list please email your request to infosec@cpni.gov.uk.
What are CERT-FI and CPNI?
For further information regarding the Finnish National CERT Team, CERT-FI, please visit http://www.cert.fi/en/index.html
For further information regarding the Centre for the Protection of National Infrastructure, please visit http://www.cpni.gov.uk.
Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes.
Neither shall CPNI accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice.
© 2008 Crown Copyright
