23th Jan 2003 [SBWID-5948]
COMMAND
	WinRAR buffer overflow
SYSTEMS AFFECTED
	WinRAR 3.10 or lower version
PROBLEM
	In nesumin [[email protected]] advisory :
	When WinRAR opens  an  archive  file,  it  displays  the  file  list  of
	archives on a ListView Control Window.
	If "long file extension" over 256 bytes  exists  in  this  file  list  ,
	buffer overflow occurs. (may be not only inside of archives but also  in
	general files)
	Then, RET address is in offset 260 from ".". (offset value includes  the
	first ".")
	And ESP register pointed the address of offset  264  from  ".",  -  next
	area of the RET address.
	If RET address was overwritten at the address of the "jmp ESP"  and  the
	next area was overwritten at a arbitrary binary code,  the  binary  code
	can be executed.
	Note. file extension is data that is start from 0x2e and  exclude  0x2e,
	0x2f, 0x5c, 0x00.
	Case of offset 260, may be not enough size of using for binary  code  at
	3.00en and 2.90.
	But offset which can control  EIP  exists  yet,  without  260.  However,
	those offset values are different per a version and language edition.
	3.00en and 2.90en and 2.90ja are 552, 3.00ja  is  557,  3.10en  is  692,
	3.10ja is 697.
	RET address of this case may be Exception Handler's :)
SOLUTION
	Fixed version 3.11 of WinRAR was released (http://www.rarlab.com/)