lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 21 Apr 2010 20:42:52 +0200
From: Security <security@...elan.be>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: [CORELAN-10-029] - ZipGenius v6.3.1.2552
 zgtips.dll Stack Buffer Overflow


|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@...elan.be |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory : CORELAN-10-029
Disclosure date : Apr 21 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-029
 
00 : Vulnerability information

 Product : ZipGenius
 Version : 6.3.1.2552
 Vendor : ZipGenius
 URL  : http://www.zipgenius.com/
 URL2 : http://www.softpedia.com/get/Compression-tools/ZipGenius.shtmlPlatform : Windows
 Type of vulnerability : zgtips.dll stack buffer overflow
 Risk rating : Medium
 Issue fixed in version : <not fixed, workaround proposed by vendor>
 Vulnerability discovered by : Rick2600
 Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/
 

 
01 : Vendor description of software
 
>>From the vendor website:
"ZipGenius: the free and powerful archive manager for Windows.
ZipGenius can handle more than 20 compressed archive types,
so it is a perfet companion for your work and daily activities;
but ZipGenius doesn't handle compressed archives, only:
it is flexible and expandable so it could almost everything you want from it."
 
 
02 : Vulnerability details
 
The flaw resides in zgtips.dll, a DLL shipped with zipgenius.
This dll allows for shell integration and will display the contents of a zip file
when you hover the mouse over the archive file.
Aparently this doesn't deal well with a specially crafted zip file containing a
overly long filename, resulting in a stack buffer overflow.
It causes the exception handler to be overwritten, and then triggers an exception,
allowing execution of arbitrary code.
 
In order to trigger the vulnerability the user must run zipgenius.exe, click "open",
position/hover the mouse pointer over the crafted zip file (don't select it) and just wait.
 

zgtips!DllUnregisterServer+0x599c2:
032b3c96 8b4014 mov eax,dword ptr [eax+14h] ds:0023:41414155=????????
 
0:005> !exchain
0303e94c: zgtips!DllUnregisterServer+5a142 (032b4416)
0303e958: zgtips!DllUnregisterServer+5a19b (032b446f)
0303f950: 41414141
Invalid exception stack at 41414141
 
 
 
 
03 : Vendor communication
 
24th Mar, 2010 : Vendor contacted
25th Mar, 2010 : Vendor asked us to test latest version (build 2552)
25th Mar, 2010 : Vendor was informed about the vulnerability in the latest version
28th Mar, 2010 : Vendor confirmed the vulnerability
16th Apr, 2010 : Vendor posted a note about the problem on http://feeds.feedburner.com/zipgeniusnews
21st Apr, 2010 : Coordinated Disclosure
 
ZipGenius' note about the vulnerability :
 
Some week ago we were contacted by Peter Van Eeckhoutte (Corelan Security) in order to
report a flaw that causes many zip utilities to crash and open a door to malicious code.
The event is triggered by a specially crafted zip file which has a very very long
filename stored in its central directory, and when I talk about a "very very long"
filename, I mean a full path+filename info which is longer than the
system MAX_PATH constant (255 characters).
 
Many competitors didn't handle correctly this event and allowed the execution of a
malicious code (in Corelan proof of concept, the code shows just a message).
We tested ZipGenius latest build without checking the source code and found that...
ZipGenius is SAFE!
 
Our beloved software already handles this event since 2002:
the problem popped out just some week after Windows XP release in 2001
and we put a code that checks filename length while reading the archive;
if ZipGenius finds a very very long filename, it disables almost every
feature and you can just close the archive and go on.
Well, Corelan admits that ZipGenius main executable is safe but the problem
still lives in a DLL that ships with ZipGenius: zgtips.dll.
Peter is right and we worked together to fix the flaw,
but this event mad a new problem to pop out...
The zgtips.dll shell extension causes Windows Vista and 7 Explorer to crash.
It's really a weird behaviour: we modified a lot of code in that dll and we
also tried to rebuild it from the ground, but it still shows the "infotip"
on ZIP archives and, after about a minute, Explorer crashes.
On the contrary, in Windows XP this doesn't happen and the shell extension works as designed.
This behavour is leading us to take an hard decision: in next ZipGenius build,
zgtips.dll likely will be installed in Windows XP, 2000 and Server 2003/2008,
while it won't in Windows Vista and 7.
We are thinking that it is something related to the Aero interface of Vista/7
and we are still trying to uinderstand what is going on.
This also leads us to reconsider the decision to build an InfoTip
shell extension for x64 systems.
 
 
 
Corelan remarks :
1. Our PoC code contained MessageBox shellcode. So the statement that "the code shows just a message"
actually means that "arbitrary code was executed" :-)
2. Corelan Security Team would like to thank the author of this application for communicating and working with us.
 
 
04 : Workaround
 
The only way to prevent this vulnerability is by un-registering the vulnerable dll :
 
 
regsvr32 "C:\Program Files\ZipGenius 6\zgtips.dll" /U
 
  
05 : Exploit/PoC
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-029



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ