
7-Zip: Multiple Memory Corruptions via RAR and ZIP - landave
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/?hn
======
Klasiaster
Not turning on standard mitigation techniques because of binary size is one of
the strangest reasons I've heard. And then still programming in an unsafe
language, quite self-confident for a "humble programmer".

[https://www.cs.utexas.edu/~EWD/transcriptions/EWD03xx/EWD340...](https://www.cs.utexas.edu/~EWD/transcriptions/EWD03xx/EWD340.html)
It has already taught us a few lessons, and the one I have chosen to stress in
this talk is the following. We shall do a much better programming job,
provided that we approach the task with a full appreciation of its tremendous
difficulty, provided that we stick to modest and elegant programming
languages, provided that we respect the intrinsic limitations of the human
mind and approach the task as Very Humble Programmers.

~~~
withinrafael
He won't go https, sign his binaries, or enable mark-of-web either. It's
strange to see people still playing small binary golf in 2018.

~~~
chrisper
Is there a good alternative to 7-zip?

~~~
nbsd4lyfe
Libarchive (sometimes known as bsdtar) supports 7z with an independent
implementation.

~~~
pmorici
I think he means an open source unarchiver that works on windows. Obviously
Linux and bad have tar/gz/bz2 etc

------
carussell
Two comments:

The way its written, I first took the mention of finding this "during the
analysis of a prominent antivirus product" to mean that you were reverse
engineering some AV thing and found that it was scanning for this
vulnerability (i.e., to protect against bad archives). After a second read, it
seems like maybe not, and that the AV itself re-used parts of 7-zip for its
own implementation and was therefore vulnerable itself. Still not sure,
though.

The way the stylesheet makes the "rendered" form (especially section headings)
resemble markdown source is pretty neat.

~~~
arka2147483647
It's common knowledge that AV programs scan files inside compressed archives.
Obviously you need to run the decompression code to do that.

~~~
blattimwind
It's also common knowledge that the AV industry has a huge software quality
and engineering problem ("let's unpack malware and emulate x86 in kernel
space, because that never backfired before!").

~~~
katastic
I've actually heard many people (including one Chrome developer) that they
don't even use AV anymore except Windows Defender because 99% of AV break
Windows/applications by using non-standard hooks and may even introduce new
vulnerabilities with their kernel drivers/etc.

[https://it.slashdot.org/story/17/02/01/1334219/google-
chrome...](https://it.slashdot.org/story/17/02/01/1334219/google-chrome-
engineer-says-windows-defender-the-only-well-behaved-antivirus-cites-tons-of-
empirical-data)

Honestly, if they can't even stop viruses from infiltrating closed systems
like Android and iOS, I don't see how an anti-virus suite could ever win the
battle against a user intentionally installing a virus.

(Of course, desktop apps are a different ballpark than web apps/websites where
you're merely connecting to a website vs installing a dedicated application
with filesystem access.)

~~~
hutzlibu
My experience so far (helped maintain lots of non IT people's computers) was
also, that the performance gain from removing antivirus software (and just
using defender) was worth the theoretically less protection.( If even so)

Besides, with the behavior of most free Antivirus I could not really
distinguish from common spyware. Everything needs to call home these days ...

So when friends ask me if this computer is now virus/spyware free .. they are
usually a bit disappointed when I tell them, probably not, even if we delete
everything and remove windows (but it would help).

But most people, including me, need windows from time to time, so it's allways
a compromise. But common (free) Antivirus is really just snake oil.

~~~
proactivesvcs
Many of my customers run the common free anti-virus programs and I can assure
you that they are not snake oil. The logs and alerts from blocked infection
attempts are testament to this.

I certainly would say that most of the free anti-virus is pushy, hungry and
generally not a particularly great marketing exercise.

~~~
freeflight
> The logs and alerts from blocked infection attempts are testament to this.

Infection attempts by what? Scans of phishing mail attachments they wouldn't
have opened anyway? At least if they know what they are doing. In addition,
many AV have this annoying habit of reporting quite a bit of false-positives
based on sys-calls or some weird heuristics, this leads to the situation where
even totally legit software, from a trusted source, triggers a warning.

Which then conditions people to just click past the warning, at that point you
might as well not even run the AV at all and instead just scan individual
files online through some virustotal-like service and teach proper user
behavior.

Due to this dynamic installing a good ad-blocker will probably do more for the
security of the average windows user than any AV software ever would.

~~~
proactivesvcs
> Infection attempts by what? In January I've seen logs blocking drive-by
> malware attempts, lots of infected email attachments and an infected USB
> stick.

These are not false positives. They were not legitimate software from trusted
sources. The logs I read were real-world true positives and they were not
inconsequential trivia like tracking cookies or the like.

I don't think that in any of the cases the user would have had a warning to
blindly click through.

Not entirely sure how an advert blocker can stop email or device-carrying
malware.

~~~
freeflight
> They were not legitimate software from trusted sources.

Infected email attachments, unless they come from a trusted sender, I consider
"useless positives" because nobody, with the appropriate training, should be
opening them in the first place.

Kinda along the same lines of tracking portscans and counting those as
"thwarted cyber attacks", like many government agencies tend to boast about,
it's nice for padding stats but is it a real security gain?

Afaik by now one of the most common successful attack vectors is drive-by kits
[0], increasingly served trough advertisement channels. Ad-blockers/disabling
Java minimize this risk quite a bit, with low overhead, while having the added
comfort of making the web more user-friendly.

Which to me is the most sensible solution, unless one really likes opening
weird email attachments and/or plugging in untrusted devices.

> I don't think that in any of the cases the user would have had a warning to
> blindly click through.

If the user is already careless enough to connect untrusted devices and/or
opening random email attachments, then I have no trust in said user to heed
any of the following warnings, as he/she already had to ignore previous best
practice warnings to get there in the first place.

[0] [http://www.securityweek.com/internets-big-threat-drive-
attac...](http://www.securityweek.com/internets-big-threat-drive-attacks)

~~~
marshray
> nobody, with the appropriate training, should be opening them in the first
> place

How many users do you administer again?

~~~
freeflight
A whole lot of 5 users, I realize that in bigger companies it's probably less
hassle to just install AV software and "hardblock" undesired behavior.

I imagine that depending on the country you are operating in this might even
be a requirement to prevent legal hassle, getting sued for "neglect" if not
running AV software and something actually goes wrong but IANAL.

But let's also keep in mind that AV solutions can have the exact opposite
effect of what they're supposed to do, from data leakage [0] [1] to straight
up remote code executions [2]. Which isn't that surprising, considering that
more complexity is usually a bad thing to add to any system, especially if
it's as deep-rooted as most AV suits tend to be.

[0] [https://www.directdefense.com/harvesting-cb-response-data-
le...](https://www.directdefense.com/harvesting-cb-response-data-leaks-fun-
profit/)

[1] [https://www.siliconrepublic.com/enterprise/kaspersky-nsa-
lea...](https://www.siliconrepublic.com/enterprise/kaspersky-nsa-leak-mistake)

[2] [https://landave.io/2017/06/avast-antivirus-remote-stack-
buff...](https://landave.io/2017/06/avast-antivirus-remote-stack-buffer-
overflow-with-magic-numbers/)

------
landave
So I just tried to compile 7-Zip with VS2017 and /DYNAMICBASE. The main binary
7z.dll is 1,569,792 bytes in total, 9344 bytes (0.595%) of which are used by
the relocation table. Enabling stack canaries (/GS) gives me a 1,578,496 byte
binary (including the relocation table), so another 8704 bytes more.

~~~
mjevans
It would be interesting to have a comparison based on locally built binaries
both with and without these features enabled.

Performing the tests on packing the actual 7-Zip source code (as shipped
without extras) would be a valid reference suite.

~~~
landave
I assume you mean a performance comparison? The runtime performance cost of
ASLR on Windows is zero once a binary has been loaded, since the code is
relocated at load time.

Stack canaries might cause a slight performance hit, but it is usually below
one percent, since it creates only a small cost per function call for a
fraction of all functions.

~~~
AnIdiotOnTheNet
People not caring about load time costs are probably one of the reasons the
guy still uses VC6, which starts up practically instantly.

------
jwilk
Timeline with a sane date format:

2017-12-29 - Discovery

2017-12-29 - Report

2017-12-29 - MITRE assigned CVE-2017-17969

2018-01-10 - Patched version 7-Zip 18.00 released

~~~
kijin
7-Zip 18.00 is not really "released" at this time.

18.00 is marked as "beta" in the official website, and 16.04 is still at the
top of the list. An average person trying to download 7-Zip right now will
most likely choose the vulnerable version.

Beta versions of 7-Zip frequently stay in that status for months, if not
years. Between 9.20 and 15.12, 7-Zip produced nothing but beta versions for 5
years. I understand the project moves slowly, but this is not a release model
that facilitates quick dissemination of important security patches.

~~~
da_chicken
> Between 9.20 and 15.12, 7-Zip produced nothing but beta versions for 5
> years.

That's not all that surprising. The software was 10 years old when v9 came out
and the major version number is just the year of release. There aren't 5 major
releases that never got out of beta. The major version numbers in 7-Zip are
misleading this way because the author doesn't really conform to standard
conventions. Of course, that is pretty obvious once you use the software for
awhile. It still doesn't properly support UAC.

------
ccleve
Does the most recent version on the 7-Zip website, 18.00 beta, contain the
patch? It's two weeks old.

7-Zip doesn't appear to contain an auto-updater or an "update me" button.

~~~
Flott
I find it a little bit concerning that the release note of V18.00 beta does
not mention any fix for a security issues. I guess it's included in the "bug
fixes"...

[https://sourceforge.net/p/sevenzip/discussion/45797/thread/6...](https://sourceforge.net/p/sevenzip/discussion/45797/thread/628149a0/)

------
yborg
While this analysis was done for 7zip, I would imagine that pretty much every
packaged implementation on any platform would have these issues, since most
people do exactly the same thing - reuse the reference implementation.

Just checked keka on macOS, and it uses the p7zip code.

------
equalunique
>If you use Shkarin’s PPMd implementation, I would strongly recommend you to
harden it by adding out of bound checks wherever possible, and to make sure
the basic model invariants always hold.

Sounds like a fun project.

------
rburhum
MS COM C++ style coding for those that are interested and curious about all
the S_FALSE and STDMETHODIMP macros.

------
d33
Why wasn't it found with afl-fuzz?

~~~
landave
The RAR PPMd bug can only be triggered if many conditions are satisfied. For
example, the RAR archive needs to be mostly correctly structured, and needs to
have at least two items that are compressed with the right flags (e.g., RAR
version 3, PPMd). Furthermore, the compressed streams need to be constructed
such that the bugs are triggered. Hence, I believe the bug is difficult to hit
with straightforward coverage-guided fuzzing.

------
Froyoh
Where do you learn about these things? This all went over my head.

~~~
landave
What do you mean exactly by "these things"?

It may be that the blog post is difficult to understand simply because I have
written it poorly...

~~~
brokenmachine
I read posts like that and marvel at how much people can understand. Well done
and thanks for posting.

------
rhabarba
Happy to have switched to WinRAR years ago. At least they do QA.

~~~
AsyncAwait
I am sure WinRAR has no bugs whatsoever, but would still like to see some
evidence to that fact.

~~~
ComodoHacker
Some of the previous non-existent bugs:

[http://seclists.org/fulldisclosure/2015/Sep/106](http://seclists.org/fulldisclosure/2015/Sep/106)
[https://www.rarlab.com/vuln_zip_spoofing_4.20.html](https://www.rarlab.com/vuln_zip_spoofing_4.20.html)

~~~
jwilk
>
> [http://seclists.org/fulldisclosure/2015/Sep/106](http://seclists.org/fulldisclosure/2015/Sep/106)

This is not a vulnerability:

[https://www.rarlab.com/vuln_sfx_html.htm](https://www.rarlab.com/vuln_sfx_html.htm)

