bulk_extractor Heap-Based Buffer Overflow Vulnerability in Unrar Code

A heap-based buffer overflow vulnerability has been identified in the digital forensics tool bulk_extractor, specifically in version 1.4 and later. The issue arises in the RAR PPM LZ decoding path, where a crafted RAR file embedded in a disk image can cause an out-of-bounds write. This flaw leads to a crash when AddressSanitizer is enabled, and likely causes a crash or memory corruption in standard builds. There is potential for this vulnerability to be exploited for remote code execution.

Impact

Exploitation of this vulnerability causes a crash and denial-of-service condition when processing a crafted RAR file or a disk image containing such a file. However, the vulnerability also introduces the possibility of memory corruption, which could be leveraged for remote code execution.

Reproduction

The vulnerability can be reproduced by generating a crafted RAR file that exploits the buffer overflow, embedding it in a raw disk image, and then processing the image with bulk_extractor. The RAR file must be crafted to include a payload that triggers the overflow by manipulating the PPM LZ decoding parameters, specifically by setting a large length value that exceeds the buffer limits.