[<prev] [next>] [day] [month] [year] [list]
Message-ID: <OF10645B61.55F3FEBF-ON85256C47.001E2536-88256C47.001DE916@hq.rapid7.com>
From: advisory at rapid7.com (Rapid 7 Security Advisories)
Subject: R7-0004: Multiple Vendor Long ZIP Entry Filename Processing Issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid 7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose(tm), our
advanced vulnerability scanner. Linux and Windows 2000
versions are available now!
_______________________________________________________________________
Rapid 7 Advisory R7-0004
Multiple Vendor Long ZIP Entry Filename Processing Issues
Published: October 2, 2002
Revision: 1.0
http://www.rapid7.com/advisories/R7-0004.txt
CERT: CERT Vulnerability Note VU#383779
http://www.kb.cert.org/vuls/id/383779
Microsoft: Microsoft Security Advisory MS02-054
http://www.microsoft.com/technet/security/bulletin/MS02-054.asp
CVE: CAN-2002-0370
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0370
1. Affected system(s):
Several different vendors and products were tested. Many were found
to be vulnerable. A partial list of affected vendors follows.
Detailed results for many vendors are being withheld pending their
response to the issues described in this advisory. We encourage
customers to engage your vendors on this issue if you have any
questions regarding their handling of specially crafted ZIP files.
For an up-to-date list of vendor statements, see CERT Vulnerability
Note VU#383779.
KNOWN VULNERABLE:
o Microsoft Windows XP
o Microsoft Windows ME
o Microsoft Windows 98 With Plus! Pack
o Lotus Notes R4
o Lotus Notes R5
o Lotus Notes R6 (pre-gold)
o Verity, Inc. KeyView viewing SDK
o Aladdin Systems Stuffit Expander (pre 7.0)
Apparently NOT VULNERABLE:
o WinRAR is believed to be NOT vulnerable
o WinZip 8.x is believed to be NOT vulnerable
o zlib is believed to be NOT vulnerable
2. Summary
Products and libraries from multiple vendors are deficient
in their handling of zip files having entries with long
filenames. Typically, opening and/or processing these
crafted zip files will result in the program crashing or
exhibiting unpredictable behavior. There is a possibility
of arbitrary code execution, but no exploits are known at
this time.
3. Vendor status and information
This is a partial list of affected products and vendors.
We will update our advisory as we get feedback from more
vendors. You may check back with us at
( http://www.rapid7.com/SecurityResearch.html ).
Microsoft Windows XP
Explorer.exe crashes when navigating through specially
crafted ZIP files.
The shell (Explorer.exe) in Windows XP provides functionality
to uncompress ZIP files on-the-fly, and presents them as folders
that users can navigate through. There exists a buffer overflow
in this feature which may allow malicious ZIP files to be
constructed that execute code upon access. It should be noted
that Explorer.exe does not display the filename if it is too
long. This may work to an attacker's advantage since suspicious
filenames would be hidden from the user.
Microsoft was notified of this issue, and a fix is available. More
information can be found in Microsoft Security Advisory MS02-054.
This issue has been assigned a CVE ID of CAN-2002-0370.
Microsoft Windows ME
Windows ME provides functionality to uncompress ZIP files
on-the-fly, and presents them as folders that users can navigate
through. There exists a buffer overflow in this feature
which may allow malicious ZIP files to be constructed that
execute code upon access.
Microsoft was notified of this issue, and a fix is available. More
information can be found in Microsoft Security Advisory MS02-054.
This issue has been assigned a CVE ID of CAN-2002-0370.
Microsoft Windows 98 With Plus! Pack
Windows 98 provides functionality to uncompress ZIP files
on-the-fly, and presents them as folders that users can navigate
through. There exists a buffer overflow in this feature
which may allow malicious ZIP files to be constructed that
execute code upon access.
Microsoft was notified of this issue, and a fix is available. More
information can be found in Microsoft Security Advisory MS02-054.
This issue has been assigned a CVE ID of CAN-2002-0370.
Lotus Notes Client R4
Lotus Notes Client R4 crashes when viewing certain zip files
using the built-in attachment viewer.
The R4 Lotus Notes client incorporated attachment viewer
technology licensed from a third party. Choosing "View"
attachment will invoke the viewer, which causes the Lotus Notes
client to crash.
Lotus has been contacted regarding this issue. Fix information
is unknown. Newer clients (R5 and R6) bundle a different
attachment viewer (see below), which is also vulnerable.
Lotus Notes Client R5 and R6 (pre-gold)
Lotus Notes crashes when viewing certain zip files using the
built-in attachment viewer.
The R5 and R6 Lotus Notes client incorporates attachment viewer
technology licensed from Verity, Inc. Choosing "View"
attachment will invoke the Verity viewer, which causes the Lotus
Notes client to crash.
Lotus has been contacted regarding this issue. This issue is
being tracked as SPR# KSPR5CJV2G.
Lotus Notes R5.0.11 and earlier are vulnerable. Lotus plans to
fix this issue in the next maintenance release of R5.
All pre-Gold versions of Lotus Notes R6 are vulnerable. Lotus
has included the fix in R6 Gold and higher.
Verity KeyView viewing SDK
Products based on Verity, Inc.'s KeyView SDK may crash on
specially crafted files.
Verity has been contacted regarding this issue. Verity has
produced a fix to SDK v7.0 which is available to SDK customers
via Verity technical support. They are tracking this as bug
number 76316.
Since the Verity SDK is licensed by many different vendors,
concerned customers should obtain a fix directly from their
vendor, rather than contacting Verity directly.
Aladdin Stuffit Expander (all platforms)
Aladdin Stuffit Expander versions prior to 7.0 may crash on
specially crafted zip files.
Aladdin Systems, Inc. has been contacted regarding this issue.
Newer versions of Stuffit Expander are believed NOT to be
vulnerable. Please see http://www.stuffit.com/expander/cert.html
for upgrade instructions and more information.
4. Solution
Obtain a fix from your vendor.
5. Detailed analysis
The ZIP file format reserves two bytes to indicate the length of
an entry filename, which allows entry names of up to 65,535
characters.
Many vendors have been tested and notified. Many products whose
primary purpose has nothing to do with compression contain ZIP
processing functionality for one reason or another. Some examples
include virus scanners, content scanning email gateways, "skinnable"
products whose skins are packaged in the ZIP format, and so on.
The original Info-ZIP public domain source code and its derivatives
(zlib, etc.) do not appear to be vulnerable. However, we noticed
crashes in several Info-ZIP derived products -- the crashes
typically occurred in the user interface code, rather than the core
ZIP processing routines.
To facilitate testing efforts by vendors and customers, we have made
several example ZIP files available on our website. Anyone may
download these files from http://www.rapid7.com/SecurityResearch.html
after agreeing to our terms of use.
6. Contact Information
Rapid 7 Security Advisories
Email: advisory@...id7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid 7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact. This advisory may not be printed or distributed
in non-electronic media without the express written permission
of Rapid 7, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)
iD8DBQE9m8P8cL76DCfug6wRArAYAJ9OYL+rcgCSkphJ2fDMjdmcg1ezUQCgudP7
LhQHemgU/hlxnXpiPp7cu5g=
=qcmV
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists