Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > alt.comp.os.windows-10 > #187056
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Newsgroups | alt.comp.os.windows-10, alt.comp.os.windows-11, comp.os.linux.advocacy |
| Subject | Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection |
| Date | 2025-08-28 14:57 +0200 |
| Message-ID | <ta06olxj1s.ln2@Telcontar.valinor> (permalink) |
| References | (1 earlier) <108n81e$orq6$1@toylet.eternal-september.org> <108o3vk$vok4$10@dont-email.me> <108o7f8$10ph7$1@dont-email.me> <108pael$191t5$1@dont-email.me> <108pg25$1ahah$1@dont-email.me> |
Cross-posted to 3 groups.
On 2025-08-28 13:54, Paul wrote:
> On Thu, 8/28/2025 6:19 AM, Daniel70 wrote:
>> On 28/08/2025 10:21 am, Hank Rogers wrote:
>>> Lawrence D’Oliveiro wrote on 8/27/2025 6:22 PM:
>>>> On Wed, 27 Aug 2025 23:25:34 +0800, Mr. Man-wai Chang wrote:
>>>>
>>>>> I think I have seen many bug reports about WinRAR ....
>>>>
>>>> This isn’t one of them, but I still don’t understand how the vulnerability is supposed to work. The proofs of concept on the
>>>> Trellix page all seem to rely on wantonly dangerous use of the
>>>> “eval†command, which would be a dumb thing to do indeed.
>>>
>>> I thought Linux didn't have any bugs or malware. Damn, things are getting bad.
>>>
>> Does ANYTHING ever get to "didn't have any bugs or malware" state??
>>
>> "didn't have any *UNDISCOVERED* bugs or malware" today, sure, but who know what will be the state tomorrow!!
>
> A lot of mistakes, are implementation mistakes like not
> using a hardened routine for this or that. And, we can estimate
> how many unclassified mistakes there are in a work. Like some
> version of Windows, the estimate was 50,000 just based on the KLOC count.
> Microsoft would have automatic scans for the easy stuff -- even the
> compiler can slap your fingers for some of those.
>
> This is a different class of bug, in that it is an architecture bug.
> It could be, that the private RAR module could be doing this, rather than
> the Archive Manager applying this recipe to everything it does. There
> is no mention of ZIP files having specially crafted filenames, for example.
>
> The RAR decoder module is free. The only question I would have about
> it, is whether it is Open Source and all the code for RAR in the
> Archive Manager, can be read by anyone ("many eyes"). If Mr.Roshal
> coded this up, and the activity is hidden in a binary blob, that would
> make it easier to understand. It just doesn't seem like an activity you
> would do at that level, and logically the place to be attempting
> stuff like this, is the Archive Manager.
There are two decoders.
One is "unrar". The source is available, but AFAIK it doesn't classify
as "open source". SUSE classifies it as "NonFree".
cer@Telcontar:~> rpm -qi unrar
Name : unrar
Version : 7.1.1
Release : lp156.2.3.1
Architecture: x86_64
Install Date: 2025-02-13T21:45:22 CET
Group : Unspecified
Size : 404795
License : NonFree
Signature : RSA/SHA512, 2024-12-08T11:55:04 CET, Key ID 35a2f86e29b700a4
Source RPM : unrar-7.1.1-lp156.2.3.1.src.rpm
Build Date : 2024-12-08T11:54:57 CET
Build Host : h02-ch1a
Relocations : (not relocatable)
Packager : http://bugs.opensuse.org
Vendor : openSUSE
URL : https://www.rarlab.com
Summary : A program to extract, test, and view RAR archives
Description :
The unRAR utility is a freeware program distributed with source code
and developed for extracting, testing, and viewing the contents of
archives created with the RAR archiver.
Distribution: SUSE Linux Enterprise 15
cer@Telcontar:~>
file "/usr/share/doc/packages/unrar/readme.txt" says:
4. Legal stuff
Unrar source may be used in any software to handle RAR archives
without limitations free of charge, but cannot be used to re-create
the RAR compression algorithm, which is proprietary. Distribution
of modified Unrar source in separate form or as a part of other
software is permitted, provided that it is clearly stated in
the documentation and source comments that the code may not be used
to develop a RAR (WinRAR) compatible archiver.
More detailed license text is available in license.txt.
However, the file "license.txt" is not available, dunno why.
The other decoder is in the shareware "rar" package:
cer@Telcontar:~> rpm -qi rar
Name : rar
Version : 6.2.2
Release : 150600.1.pm.2
Architecture: x86_64
Install Date: 2025-02-13T21:54:54 CET
Group : Productivity/Archiving/Compression
Size : 1001629
License : NonFree
Signature : RSA/SHA1, 2024-10-17T10:26:00 CEST, Key ID 45a1d0671abd1afb
Source RPM : rar-6.2.2-150600.1.pm.2.src.rpm
Build Date : 2024-10-17T03:58:06 CEST
Build Host : buildwk3
Relocations : (not relocatable)
Packager : packman@links2linux.de
Vendor : http://packman.links2linux.de
URL : https://www.rarsoft.com
Summary : Compression and decompression program rar
Description :
Compression and decompression program.
Distribution: Extra / openSUSE_Leap_15.6
cer@Telcontar:~>
It is not clear what package presents the problem, but I guess it is
both. readme file in unrar says:
1. General
Unrar source is subset of RAR and generated from RAR source
automatically,
by a small program removing blocks like '#ifndef UNRAR ... #endif'.
Such method is not perfect and you may find some RAR related stuff
unnecessary in Unrar, especially in header files.
>
> And once the Linux people find where in the code this is happening,
> this will lead to an examination of the ecosystem, to make sure there
> are no more of these (obviously bad) things out there. I doubt anyone
> signed off on this as being "particularly clever". This might well be
> code that was never reviewed.
>
> The RAR encoder module costs money. That's how its author keeps himself fed.
> That only gets on a computer if you bought a copy.
>
> 7ZIP comes with an SDK, and the Archive Manager version could be based
> on the SDK materials. (Even Windows uses libarchive, a recent addition.)
> Whereas the Windows 7Z executable version (from its web site) is closed
> source as far as I know, but still free. The Windows version was recently
> modified to include a higher threads-of-execution count, so that it could
> be used on machines with "processor groups" (you can finally compress with
> your 96 core computer and use all 96 cores). The article describing this,
> was VERY strangely worded, and the reporter was obviously in a shit-disturbing
> mood.
>
> One of the acid tests for compressors, is getting two different versions
> of code, to produce roughly the same file size. You can't expect an exact
> match, due to time stamps, but if the byte counts are the same, that is
> a positive sign. When I tried to get Linux and Windows to make the same
> 7Z, it didn't work out that well. Generally I do not hear comments about
> "this version could not decode the output of that version", that
> seems handled pretty well. The two ecosystems could still read each others output.
>
> It may have started with an email, but only part of the attachment handling
> would be done there, and handoff of any further layers of decoding needed,
> could end up with the Archive Manager. As a software dev, when you
> "use someone elses services", you don't know how stupid they are. And
> it may not be apparently, that something as silly as the problem description,
> is happening when you call that service. But some Black Hat figured it out.
The rar compressor is not very useful in Linux. It has features I like,
as error correction, but it can not save all the file attributes. I
don't think it is popular.
However, it is possible to get emails with rar attachments. I have got a
few. And there are tools that automatically examine the contents of emails.
--
Cheers, Carlos.
Back to alt.comp.os.windows-10 | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Symon <symon@notice.org> - 2025-08-27 09:14 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Mr. Man-wai Chang" <toylet.toylet@gmail.com> - 2025-08-27 23:25 +0800
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-27 23:22 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Hank Rogers <Hank@nospam.invalid> - 2025-08-27 19:21 -0500
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 00:41 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-28 08:45 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 22:36 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-29 08:39 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-30 00:16 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Hank Rogers <Hank@nospam.invalid> - 2025-08-29 20:02 -0500
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-30 03:35 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection pothead <pothead@snakebite.com> - 2025-08-28 15:45 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-28 03:28 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Daniel70 <daniel47@somewhere.someplaceelse> - 2025-08-28 20:19 +1000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-28 07:54 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-08-28 14:57 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-28 09:02 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-08-28 23:17 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 22:35 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-29 08:38 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-29 10:35 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-29 10:55 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-08-31 02:35 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-31 01:21 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Char Jackson <none@none.invalid> - 2025-08-31 12:58 -0500
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-31 22:46 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-09-01 02:44 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-09-01 07:56 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-09-01 14:21 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Char Jackson <none@none.invalid> - 2025-09-01 16:26 -0500
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 22:34 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 22:32 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-28 19:18 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-29 00:50 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-28 22:44 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-29 04:02 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-29 00:53 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-29 05:31 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-28 08:44 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection chrisv <chrisv@nospam.invalid> - 2025-08-28 16:30 -0500
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-29 08:35 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 22:29 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-29 08:36 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-30 05:39 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-30 07:25 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-28 19:40 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-29 00:51 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-09-02 12:45 +0200
csiph-web