| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <C0641B79F7D6A44791BA8FA35BC143F901C7BA0A644F@apollo.corelan.be>
Date: Mon, 22 Mar 2010 10:08:51 +0100
From: Security <security@...elan.be>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
"secalert@...urityreason.com" <secalert@...urityreason.com>,
"vuln@...unia.com" <vuln@...unia.com>
Cc: Corelan Team <Corelan.Team@...elan.be>
Subject: [CORELAN-10-016] - Ken Ward Zipper .zip 0day
Stack BOF
|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| security@...elan.be |
| |
|-------------------------------------------------[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|------------------------------------------------------------------|
Advisory : CORELAN-10-016
Disclosure date : March 23rd, 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-016
0x00 : Vulnerability information
--------------------------------
Product : Ken Ward's Zipper
Version : 4.60.019
Vendor/Author : Leung Yat Chun Joseph
URL : http://www.trans4mind.com/personal_development/zipper/
Platform : Windows (Tested on XP SP3 fully patched, inside VirtualBox)
Type of vulnerability : Stack Buffer Overflow
Risk rating : Medium
Issue fixed in version : <not fixed>
Vulnerability discovered by : corelanc0d3r
Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/
0x01 : Vendor description of software
-------------------------------------
>>From the vendor website:
"Zipper is a free compression program, and you don't need to pay anything for it. It doesn't contain pop-up ads or other annoying things. However, Zipper isn't free to maintain and wasn't free to create, because it contains commercial
components, and was build with programming software."
0x02 : Vulnerability details
----------------------------
In order for the vulnerability to be triggered, a user must be tricked into opening a specially crafted zip file from within the application, and double click on a filename inside the zip file, in an attempt to extract/view it.
After roughly 1022 bytes in the filename buffer, the exception handler was overwritten, allowing an attacker to take full control over the application flow, inject and execute arbitrary code on the machine.
The discovered vulnerability allows an attacker to execute arbitrary code within the context of the currently logged on user.
0x03 : Vendor communication
---------------------------
March 16 : Author contacted
March 19 : Sent reminder
March 23 : No answer, Public disclosure
0x04 : Exploit/PoC
------------------
A detailed write-up about the process to build the exploit for this vulnerability will be posted on www.abysssec.com on march 23rd, 2010
(afternoon - GMT+1)
Stay tuned (https://twitter.com/corelanc0d3r)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists