(NOT a) Security hole in SABnzbd

[stalbot]

I just downloaded an NZB that contained a sub folder named the same as the package, within that sub folder were further RAR files which were named identically to the original rars in the NZB package. There was also a single EXE file that was also named like a RAR file. SAB's unrar tool automatically RAN THIS EXE and it attempted to install Backdoor.Graybird. This was detected and blocked by my AV, however I'm not sure something else could have also been installed at the same time.

Because of this RARs-in-subfolder structure of this malicious package, the UNRAR.exe program appeared to be caught in an infinite loop, it kept generating more RAR files and unpacking them. The original 800 mb NZB grew quickly to 10+ GB as more and more copies of the RAR were created. I terminated the UNRAR.exe from task manager to end it.

I wanted to bring this to your attention. It appears there is a way to exploit the UNRAR.exe that is in the latest version of SAB to run program code automatically in windows with the active user's rights. In years of using the product I've never before seen this kind of exploit...

I'm on Windows 7 using SABNZBD 0.5.2 Final

I'd be happy to share the NZB file that I downloaded if anyone on the development team would like more specific details. Please email me at the email address associated with my forum account and I'll gladly give you more information privately.

Until this is resolved, I would STRONGLY recommend that windows users of SAB do not use the automatic unrar feature. let it PAR, then run your UNRARs manually. It's a pain in the butt, but it's better than having your computer join the zombie horde....

To think, I just had a malicious EXE execute on my machine... brr gives me the chills.

[Hmail]

It didn't ran, your AV checks your hard disk, and as soon as a new executable is arriving, it checks it. To prevent you from running it. And yes, it yells obviously. There is no way sabnzbd can protect you from downloading malicious executables. Don't give out security recommendations if you don't know what you are talking about.

[doubledrat]

what caused this continuous unpacking loop he referred to then?

[inpheaux]

1) Stop being so hysterical. Usenet is full of terrible shit, SABnzbd does not try to run anything executable.

2) As mentioned, SABnzbd likely did not run whatever was found. Like Hmail said, it was likely detected as soon as it was written to disk.

3) Before jumping to rash conclusions like "OMG SECURITY HOLE!", and started scaremongering, you should have brought this to our attention via [email protected] (or [email protected], or IRC, or whatever). If you email the "malicious" nzb there we'll gladly take a look at it and prove to you what really happened. This is much preferable to you running in here and screaming about security holes and what Windows users should or shouldn't be doing.

4)

what caused this continuous unpacking loop he referred to then?

SABnzbd attempts to recursively unrar stuff, but if the structure is rars -> subfolder -> more rars it may very well get stuck in an infinite loop. This is a known bug, and I believe it's been addressed in 0.5.3.

[stalbot]

3) Before jumping to rash conclusions like "OMG SECURITY HOLE!", and started scaremongering, you should have brought this to our attention via [email protected] (or [email protected], or IRC, or whatever). If you email the "malicious" nzb there we'll gladly take a look at it and prove to you what really happened. This is much preferable to you running in here and screaming about security holes and what Windows users should or shouldn't be doing.

Sure, good point & thanks for the useful advice. I will mention though that I am almost confident that the executable did run. The AV software reported 'blocked attempts' by this backdoor, not that it was 'detected in a file' which I have seen before. Further, its log shows that that the EXE was terminated from memory prior to moving it to quarantine.

I wasn't aware of the bugs email address, and I do realize I've likely been a bit more hysterical than I should have been, but I'm pretty confident about the accuracy of what I've reported here and I felt it was important to raise attention asap.

Apologize for being an outsider bothering the community and not following the rules.

[Hmail]

The 'blocked attempts' is probably because sabnzbd extracted it, not you. It doesn't run. Try downloading an application and wait till it's installed (without you doing anything). Don't hold your breath. Besides that, you 'advised' users to unrar everything manually. The sabnzbd library is exactly the same. As inpheaux said: try to mail something first. Don't start shouting on a forum, because a: you look like a idiot, and b: you might get one or two users panicking. Because you didn't think first.
As for your virus scanner: contact your manufacturer. He might have an explanation for it's behavior. This is the wrong forum for that.

[shypike]

BTW: should anything have "run", it would be a security hole in unrar, not SABnzbd.
As far as I know, it's not even possible to let unrar autorun anything (for good reasons).
There are auto-unrarring exe-files, but even those are handled safely if you let the
unrar program do the unpacking. SABnzbd handles it likewise.

BTW: the "infinite" loop bug was solved in 0.5.2.
It's still potentially present if you use an unsupported unrar version, but even then SABnzbd limits "infinite" to 50.

The biggest potential security leak would be a RAR file containing absolute paths
(so that system files would be overwritten).
However, SABnzbd doesn't allow unrar to do this.

[doubledrat]

Apologize for being an outsider bothering the community and not following the rules.

you are not an outsider.  If you use SABNZBD, you're one of us!

I think the others were a little hard on you; you posted in good faith and to be helpful.  Don't be put off being an active member of this community.

[shypike]

Indeed.