lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <C0641B79F7D6A44791BA8FA35BC143F901F9277ACCF3@apollo.corelan.be>
Date: Mon, 19 Apr 2010 13:54:25 +0200
From: Security <security@...elan.be>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: [CORELAN-10-026] TweakFS Zip Stack BOF

Advisory        : CORELAN-10-026
Disclosure date : April 19th, 2010
CVE Reference   : CVE-2010-1458
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-026
 

00 : Vulnerability information 

 Product : TweakFS Zip Utility
 Version : 1.0 (latest version)
 Vendor : TweakFS
 URL : http://www.tweakfs.com/ 
 Platform : Windows
 Type of vulnerability : Stack buffer overflow
 Risk rating : High
 Issue fixed in version : not fixed
 Vulnerability discovered by : TecR0c
 Corelan Team :
 http://www.corelan.be:8800/index.php/security/corelan-team-members/



01 : Vendor description of software

"Create and Extract Zips TweakFS Zip Utility for FSX was designed to be a useful tool for unpacking Zip files downloaded from FS file libraries without the need for an existing 3rd-party Zip application, but the big handy feature is that it has a tree display of the Zip folder structure giving you a clear view of how the files will unpack and into which location."

 

02 : Vulnerability details

A flaw in how the application handles a overly long filename inside a zip file which an attacker can
utilize in a manner other than the designer intended. This allows the attacker to run arbitrary-code execution on 
the victims machine when a specially crafted zip file has been open within the application.

 

03 : Author/Vendor communication
 April 7, 2010 : author contacted
 April 16, 2010  : sent reminder
 April 19th, 2010 : No response, public disclosure


04: Proof of Concept
You can download a PoC exploit for XP SP3 from
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-026



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ