Information

The vulnerability exists in the windows procedure (WinProc) of the “Enter password” (Dialog) Window.
This window appears/created in 2 scenario:

  1. In the extraction process of an archive which protected by a password 2. In the compression process, if the user wants to create an archive which protected by a password

In the initialization of the windows, the WinProc parses a window message of “WM_INITDIALOG” type.
The code that handles “WM_INITDIALOG” message initializes an instance of a class (allocates memory on the heap) and saves it in the “user data” associated with the window via SetWindowLong API (using GWL_USERDATA [-21] Index parameter)

However in case that the user closed the windows which asks for the password (in the extraction or compression processes) by clicking on the X sign in the upper right side of the window, The allocated instance of the class which associated with the “user data” of the windows is being freed, and then a call to EndDialog API is being made.
The call to EndDialog API triggers sending of Window Messages, that related to destroying the window, to the WinProc.
A relevant quote from MSDN “EndDialog does not destroy the dialog box immediately.”
In the next parsing of the incoming window messages by WinProc, after the call to EndDialog, The Freed Instance of The Class Is Being Read.

Crash Dump

    (4304.1e5c): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    *** ERROR: Module load completed but symbols could not be loaded for WinRAR.exe
    eax=1c35afb8 ebx=1c35afb8 ecx=0cb607f5 edx=00000000 esi=000a0065 edi=010330ae
    eip=00f981c0 esp=00e2ebc8 ebp=00e2ec04 iopl=0         nv up ei pl nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
    WinRAR+0x481c0:
    00f981c0 8b03            mov     eax,dword ptr [ebx]  ds:002b:1c35afb8=????????

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************

    FAULTING_IP: 
    WinRAR+481c0
    00f981c0 8b03            mov     eax,dword ptr [ebx]

    EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 00f981c0 (WinRAR+0x000481c0)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000000
       Parameter[1]: 1c35afb8
    Attempt to read from address 1c35afb8

    CONTEXT:  00000000 -- (.cxr 0x0;r)
    eax=1c35afb8 ebx=1c35afb8 ecx=0cb607f5 edx=00000000 esi=000a0065 edi=010330ae
    eip=00f981c0 esp=00e2ebc8 ebp=00e2ec04 iopl=0         nv up ei pl nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
    WinRAR+0x481c0:
    00f981c0 8b03            mov     eax,dword ptr [ebx]  ds:002b:1c35afb8=????????

    FAULTING_THREAD:  00001e5c

    PROCESS_NAME:  WinRAR.exe

    ERROR_CODE: (NTSTATUS) 0xc0000005

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005

    EXCEPTION_PARAMETER1:  00000000

    EXCEPTION_PARAMETER2:  1c35afb8

    READ_ADDRESS:  1c35afb8 

    FOLLOWUP_IP: 
    WinRAR+481c0
    00f981c0 8b03            mov     eax,dword ptr [ebx]

    NTGLOBALFLAG:  2000000

    APPLICATION_VERIFIER_FLAGS:  0

    APP:  winrar.exe

    BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_BEFORE_WRITE

    PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ_BEFORE_WRITE

    DEFAULT_BUCKET_ID:  INVALID_POINTER_READ_BEFORE_WRITE

    IP_ON_HEAP:  1a7e4f40

    FRAME_ONE_INVALID: 1

    LAST_CONTROL_TRANSFER:  from 1a7e4f40 to 00f981c0

    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    00e2ec04 1a7e4f40 00e2ec58 00000005 ffffffff WinRAR+0x481c0
    00000000 00000000 00000000 00000000 00000000 0x1a7e4f40

    STACK_COMMAND:  .cxr 0x0 ; kb

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  winrar+481c0

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: WinRAR

    IMAGE_NAME:  WinRAR.exe

    DEBUG_FLR_IMAGE_TIMESTAMP:  5b2fb2d9

    FAILURE_BUCKET_ID:  INVALID_POINTER_READ_BEFORE_WRITE_c0000005_WinRAR.exe!Unknown

    BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_BEFORE_WRITE_winrar+481c0

    ANALYSIS_SOURCE:  UM

    FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_before_write_c0000005_winrar.exe!unknown

    FAILURE_ID_HASH:  {817c7c6e-fdac-7973-b49b-46ffd2a77eee}

PoC

There is a file name poc.rar
In order to inspect the crash, you should do the following steps:

  • Enable PageHeap option in GFlags.exe
  • Extract the file using WinRAR’s GUI
  • In the password pop-up window click on the right X symbol that close the window

Attachments:
poc.rar

References:
https://research.checkpoint.com/extracting-code-execution-from-winrar/
https://www.rarlab.com/rarnew.htm