CVE-2024-20697: Windows Libarchive Remote Code Execution Vulnerability

An integer overflow vulnerability exists in the Libarchive library included in Microsoft Windows, due to insufficient bounds checks on the block length of a RARVM filter used for Intel E8 preprocessing in a RAR archive. A remote attacker could exploit this vulnerability by enticing a target user into extracting a crafted RAR archive, potentially leading to arbitrary code execution in the context of the application using the vulnerable library. The vulnerability is related to the parsing of a RAR archive, which consists of a series of variable-length blocks, each beginning with a header. The vulnerability occurs when a RARVM filter with a specific fingerprint is executed, causing an integer overflow in the loop condition of the execute_filter_e8() function. This overflow results in memory accesses that are out of the bounds of the heap-based buffer representing the VM memory. To detect an attack exploiting this vulnerability, a detection device must monitor and parse traffic on common ports where a RAR archive might be sent, such as FTP, HTTP, SMTP, IMAP, SMB, and POP3. The device must identify the RarBlock Marker, ArcHeader, and FileHeader blocks, and then parse the compressed data of the file. The device must extract each block according to the algorithm used to compress it, and if a block compressed using the LZ algorithm is encountered, decode the Huffman tables and symbols. If a symbol 257 is encountered, the device must parse the following data as a RARVM filter and calculate the size of the Code field. The device must then parse the Code field according to the specified structure and read numerical fields according to the implemented algorithm.