lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 4 Apr 2010 00:14:43 +0200
From: Security <security@...elan.be>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"secalert@...urityreason.com" <secalert@...urityreason.com>,
	"vuln@...unia.com" <vuln@...unia.com>
Subject: [CORELAN-10-020] - ZipScan 2.2c .zip file Stack
	BoF


|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@...elan.be |
|                                                                  | 
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory        : CORELAN-10-020
Disclosure date : April 3rd, 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-020

 
00 : Vulnerability information
-------------------------------------
 Product : ZipScan 2.2c
 Version : 2.2c (latest version)
 Vendor : contact@...barsoftware.com / http://www.zipscan.co.uk/
 URL : http://www.zipscan.co.uk/download.htm
 Platform : Windows
 Type of vulnerability : Stack overflow
 Risk rating : medium
 Issue fixed in version : not fixed
 Vulnerability discovered by : Lincoln
 Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/

 
01 : Vendor description of software
-------------------------------------
>>From the vendor website:
"ZipScan searches archive files. It can search Zip, CAB, RAR, ACE,
InstallShield CAB, JAR, TAR, GZIP, Z, ZOO, LZH, ARJ, CHM and
OpenOffice files, including password-protected, nested and
self-extracting archives. The program supports text searching and can
open and extract files."
 
02 : Vulnerability details
-------------------------------------
When a specially crafted zip file is opened from within ZipScan,
an exception handler gets overwritten, allowing to trigger arbitrary
code execution. 
The way to trigger the vulnerability :

 - open the zip file from within ZipScan : "File  - Open Archive File"
Or
 - Click "open archive file and view its contents"
 - double-click on the filename inside the zip file

 
03 : Author/Vendor communication
-------------------------------------
 March 23 2010 : author contacted
 March 20 2010 : sent reminder
 April 3 2010 : No response, public disclosure


04 : PoC
----------
 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-020

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ