| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <C0641B79F7D6A44791BA8FA35BC143F901F9277ACD43@apollo.corelan.be> Date: Sat, 24 Apr 2010 17:26:48 +0200 From: Security <security@...elan.be> To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: [CORELAN-10-031] - ZipWrangler 1.2 .zip Stack Buffer Overflow |------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security@...elan.be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-031 Disclosure date : April 24th, 2010 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-031 00 : Vulnerability information Product : Zip Wrangler Version : 1.20 Vendor/Author : CursorArts URL : http://www.cursorarts.com/ca_zw.html Platform : Windows (Tested on XP SP3 fully patched) Type of vulnerability : Stack Buffer Overflow Risk rating : High Issue fixed in version : <not fixed> Vulnerability discovered by : TecR0c Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/ 01 : Vendor description of software >>From the vendor website: "ZipWrangler: The simple, quick and free way to extract and create your own zip and other archive files. Use ZipWrangler's Viewer to take a look into these files before you decide whether or not to run or extract the contents. You can also Run program from within the archive without extracting. And you can use ZipWrangler to easily create your own compressed files for making them faster to send over the internet or by e-mail" 02 : Vulnerability details A flaw in how the application handles a overly long zip filename which an attacker can utilize in a manner other than the designer intended. Since the SE Handler can be overwritten an attacker can take full control over the application flow, inject and execute arbitrary code on the machine. The attacker will be able to gain the same rights as the user running the application. 03 : Vendor communication April 10 : Author contacted April 18 : Sent reminder April 25 : No answer, Public disclosure 04 : Exploit PoC Download Here : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-031 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists