| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <C0641B79F7D6A44791BA8FA35BC143F901E57FC8DC71@apollo.corelan.be> Date: Sun, 4 Apr 2010 00:14:43 +0200 From: Security <security@...elan.be> To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>, "secalert@...urityreason.com" <secalert@...urityreason.com>, "vuln@...unia.com" <vuln@...unia.com> Subject: [CORELAN-10-020] - ZipScan 2.2c .zip file Stack BoF |------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security@...elan.be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-020 Disclosure date : April 3rd, 2010 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-020 00 : Vulnerability information ------------------------------------- Product : ZipScan 2.2c Version : 2.2c (latest version) Vendor : contact@...barsoftware.com / http://www.zipscan.co.uk/ URL : http://www.zipscan.co.uk/download.htm Platform : Windows Type of vulnerability : Stack overflow Risk rating : medium Issue fixed in version : not fixed Vulnerability discovered by : Lincoln Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/ 01 : Vendor description of software ------------------------------------- >>From the vendor website: "ZipScan searches archive files. It can search Zip, CAB, RAR, ACE, InstallShield CAB, JAR, TAR, GZIP, Z, ZOO, LZH, ARJ, CHM and OpenOffice files, including password-protected, nested and self-extracting archives. The program supports text searching and can open and extract files." 02 : Vulnerability details ------------------------------------- When a specially crafted zip file is opened from within ZipScan, an exception handler gets overwritten, allowing to trigger arbitrary code execution. The way to trigger the vulnerability : - open the zip file from within ZipScan : "File - Open Archive File" Or - Click "open archive file and view its contents" - double-click on the filename inside the zip file 03 : Author/Vendor communication ------------------------------------- March 23 2010 : author contacted March 20 2010 : sent reminder April 3 2010 : No response, public disclosure 04 : PoC ---------- http://www.corelan.be:8800/advisories.php?id=CORELAN-10-020 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists