It’s the unrelenting “no exceptions possible” bureaucracy that always gets to me in cases likes this. I find it really soul-crushing, especially where it’s so damn obvious and has such large impact on people/companies.
It’s certainly suspicious. It’s hard to imagine what malware would be doing that would otherwise require 570 MB. Do any of you have a signed WinRAR handy to look at which hash algorithm they’re using for signing?
On the other hand, without an insider controlling the original that got signed, an attack on the hash would require a second-preimage attack. I’m not aware that anyone has found a second-preimage attack on MD5, but given the weaknesses we already know about MD5, I don’t think anyone would be surprised to find someone had found a practical second-preimage attack on md5.
Another possibility is that this leveraged the bug where Microsoft’s signature signing didn’t check that there wasn’t any unsigned data tacked on the end of a signed binary, and since Java JAR files have all of their headers at the tail end, a carelessly written signed executable that launched a JVM and used itself as a JAR file could be tricked into using an alternative JAR file simply by appending the malicious JAR to the end of the signed executable. Though, even if the malware were written in Java, that still looks like a lot of bloat. I wouldn’t expect WinRAR or the WinRAR installer to use Java, but maybe it does something similar with appended data, and maybe the 570 MB is needed to exploit a buffer overflow in the signed executable that is loading data from its own tail.
My assumptions are the following (and could all be wrong):
WinRAR installer is a self-executing RAR archive
an attack like SHAttered was carried out to append collision blocks that can reset the hash function’s internal state
the RAR format allows trickery to append collision blocks in a way that it overwrites/cancels previously unpacked resources
I want to re-emphasize, this is guesswork and I don’t know if it’s that valuable to mount this attack on the WinRAR installer, “just” to bypass code signing.
There are several classes of attacks on hash functions:
(1) Collision attacks: attacker creates two files with the same hash
(2). Second preimage attack: defender creates a file, attacker reads the file, and attacker creates a second file with the same hash.
(3) Preimage attack: attacker doesn’t have an example file to work with and needs to create a file with the given hash.
SHAttered is a collision attack, not a second-preimage attack. The attacker needs to create both the legitimate-looking and non-legitimate file. Using SHAttered in this case would require an inside job, or some social engineering to get the attacker-created legitimate-looking file signed.
Without social engineering or an inside person, an attack on the hash would require a second-preimage attack.
It’s a famous file compression/archiving program for Windows. The name is synonymous with the RAR archive format which was really popular in the 90’s warez scene due to better compression and additional features.
I honestly feel sorry for companies like WinRAR. It’s not their fault at all that they get targeted by malware authors like they do.
It’s the unrelenting “no exceptions possible” bureaucracy that always gets to me in cases likes this. I find it really soul-crushing, especially where it’s so damn obvious and has such large impact on people/companies.
It seems they get targetted by antivirus software authors. But I guess you can count Antivirus software as a subcategory of malware.
A certificate misused on a 570mb file. Does this smell like a hash extension attack to anyone else?
It’s certainly suspicious. It’s hard to imagine what malware would be doing that would otherwise require 570 MB. Do any of you have a signed WinRAR handy to look at which hash algorithm they’re using for signing?
On the other hand, without an insider controlling the original that got signed, an attack on the hash would require a second-preimage attack. I’m not aware that anyone has found a second-preimage attack on MD5, but given the weaknesses we already know about MD5, I don’t think anyone would be surprised to find someone had found a practical second-preimage attack on md5.
Another possibility is that this leveraged the bug where Microsoft’s signature signing didn’t check that there wasn’t any unsigned data tacked on the end of a signed binary, and since Java JAR files have all of their headers at the tail end, a carelessly written signed executable that launched a JVM and used itself as a JAR file could be tricked into using an alternative JAR file simply by appending the malicious JAR to the end of the signed executable. Though, even if the malware were written in Java, that still looks like a lot of bloat. I wouldn’t expect WinRAR or the WinRAR installer to use Java, but maybe it does something similar with appended data, and maybe the 570 MB is needed to exploit a buffer overflow in the signed executable that is loading data from its own tail.
My assumptions are the following (and could all be wrong):
I want to re-emphasize, this is guesswork and I don’t know if it’s that valuable to mount this attack on the WinRAR installer, “just” to bypass code signing.
There are several classes of attacks on hash functions: (1) Collision attacks: attacker creates two files with the same hash (2). Second preimage attack: defender creates a file, attacker reads the file, and attacker creates a second file with the same hash. (3) Preimage attack: attacker doesn’t have an example file to work with and needs to create a file with the given hash.
SHAttered is a collision attack, not a second-preimage attack. The attacker needs to create both the legitimate-looking and non-legitimate file. Using SHAttered in this case would require an inside job, or some social engineering to get the attacker-created legitimate-looking file signed.
Without social engineering or an inside person, an attack on the hash would require a second-preimage attack.
You’re right, I misremembered how SHAttered works. Thank you!
I wish they’d named the CA who revoked their certificate and never contacted them about it. I want to know who to avoid.
In the links in the statement Comodo/Sectigo and CodeSignCert are named.
if you click on the links, it has a name
What‘s WinRAR?
It’s a famous file compression/archiving program for Windows. The name is synonymous with the RAR archive format which was really popular in the 90’s warez scene due to better compression and additional features.