WINRAR/ACE VULNERABILITY

Description

Last week Check Point Research published information about a (19 year old!) vulnerability in WinRAR, a popular file compression tool. WinRAR can de/compress files with a variety of compression algorithms. The vulnerability is possible because of a specific implementation of the ACE algorithm. ACE is an uncommon and older type of compression. The vulnerability, during decompression, allows the archive to surreptitiously designate the target path for the inflated files. Combine that ability with compressed archive’s ability to sneak past anti-virus programs, and you have a serious threat.

Mitigation

To mitigate the vulnerability the authors of WinRAR have removed support for ACE effective in version 5.70 beta 1 and later. Check Point updated their Sandblast Agent to catch this vulnerability.

CVE

2018-20251

Keywords: anti-virus, rar, malware, winrar

Troy Frericks.
blog 2-Mar-2019
=
Copyright 2015-2019 by Troy Frericks, http://cybersecurityblog1.frericks.us/.
#

CROSS-SITE SCRIPTING/XSS VS CROSS-SITE REQUEST FORGERY/CSRF

Summary

Both Cross-site Scripting/XSS and Cross-site Request Forgery/CSRF are browser exploits. XSS does not necessarily use an authenticated session; the vulnerability attempts to inject untrusted code in the web page / web app. In an authenticated session, the CSRF vulnerability injects/modifies a link or form that is able to take advantage of the current session.

Cross-site Scripting (XSS)
XSS is a vulnerability listed as A7 in the OWASP Top Ten Project. It is an attack directed at the user of the web browser (or web app).

In XSS, a web page is sent from the server to the browser with a script (or a link) that is hidden by a malicious attacker.

XSS Attacks

  • Other web sites (via, for example, query/request parameters). This was the original vulnerability, and why the vulnerability is called “Cross Site”. A more appropriate name now might be “Script Injection”, but I digress.
  • Server Vulnerability that allowed the script to be replaced/stored on the server.
  • Network. Prior to the common use of TLS, Internet Service Providers have been known to inject javascript into web pages passing through their network to facilitate such things as analytics, advertising, etc.
  • Local. Malware that has access to the browser can potentially alter the environment.

Cross-site Request Forgery (CSRF)
XSS is vulnerability no longer makes the OWASP Top Ten Project as this vulnerability is nearly eradicated due to the use of hardened frameworks. Only about 5% of applications have been found to be vulnerable (2017).

A common occurrence of CSRF is if a target was in a session authenticated to a target server, and that target server does not have proper controls in place. The bad-guy could blindly present a link on his web site that just happened to reference the target server that, if clicked, would causes an action on the target server in the context of an authenticated session.

Keywords: csrf, csf, rsr, javascript, java script, perl, flash, browser, dom, xss, css, cs

Troy Frericks.
blog 4-Feb-2019
=
Copyright 2015-2019 by Troy Frericks, http://cybersecurityblog1.frericks.us/.
#