From Convenience to Contagion: The Libarchive Vulnerabilities Lurking in Windows 11

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
Not yet available
Language
English
Abstract
In the October 2023 update, Windows 11 introduced support for 11 additional compression formats, including RAR and 7z, allowing users to manage these types of files natively within File Explorer. The enhancement significantly improves convenience; however, it also introduces potential security risks. To support these various compression formats, Windows 11 utilizes the libarchive library, a well-established open-source library used across multiple operating systems like Linux, BSD, and macOS, and in major projects such as ClickHouse, Homebrew, and Osquery.

The libarchive has been continuously fuzzed by Google’s OSS-Fuzz project, making it a time-tested library. However, its coverage in OSS-Fuzz has been less than ideal. In addition to the two remote code execution (RCE) vulnerabilities disclosed by Microsoft Offensive Research & Security Engineering (MORSE) in January, we have identified several vulnerabilities in libarchive through code review and fuzzing. These include a heap buffer overflow vulnerability in the RAR decompression and arbitrary file write and delete vulnerabilities due to insufficient checks of libarchive’s output on Windows. Additionally, in our presentation, we will reveal several interesting features that emerged from the integration of libarchive with Windows.

And whenever vulnerabilities are discovered in widely-used libraries like libarchive, their risks often permeate every corner, making it difficult to estimate the potential hazards. Moreover, when Microsoft patches Windows, the corresponding fixes are not immediately merged into libarchive. This delay gives attackers the opportunity to exploit other projects using libarchive. For example, the vulnerabilities patched by Microsoft in January were not merged into libarchive until May, leaving countless applications exposed to risk for four months. The worst part is that the developers might not know the vulnerability details or even be aware of its existence. To illustrate this situation, we will use the vulnerabilities we reported to ClickHouse as an example to demonstrate how attackers can exploit the vulnerabilities while libarchive remains unpatched.

We will introduce the new Compressed Archived folder feature in Windows 11 and review the vulnerabilities of the previous Compressed (zipped) folder. Next, we will explain how we analyzed the libarchive that Windows 11 introduced to support various compression formats. Despite extensive fuzz testing by OSS-Fuzz, we discovered several vulnerabilities in libarchive through code review and fuzzing, including an RCE (Remote Code Execution) vulnerability. Finally, we will use the ClickHouse case to explain how we triggered an RCE vulnerability in ClickHouse while the patch had not been merged upstream.

Talk ID
38c3-192
Event:
38c3
Day
4
Room
Saal ZIGZAG
Start
1:50 p.m.
Duration
00:40:00
Track
Security
Type of
Talk
Speaker
NiNi Chen
NiNi Chen
Talk Slug & media link
38c3-192-from-convenience-to-contagion-the-libarchive-vulnerabilities-lurking-in-windows-11

The video is not yet available