lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <C0641B79F7D6A44791BA8FA35BC143F901F9277ACD49@apollo.corelan.be>
Date: Sun, 25 Apr 2010 10:28:31 +0200
From: Security <security@...elan.be>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: [CORELAN-10-032] - Easyzip 2000 .zip Stack BOF


|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@...elan.be |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory : CORELAN-10-032
Disclosure date : 21st Apr 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-032


0x00 : Vulnerability information

 [+] Product : Easyzip 2000
 [+] Version : 3.5
 [+] Vendor : http://www.thefreesite.com/
 [+] URL : http://www.thefreesite.com/ezip35.exe
 [+] Type of vulnerability : Local Buffer Overflow
 [+] Risk rating : High
 [+] Issue fixed in version : none
 [+] Vulnerability discovered by : mr_me
 [+] Greetings to : The Corelan Security Team (http://www.corelan.be:8800/index.php/security/corelan-team-members/)



0x01 : Vendor description of software

>>From the vendor website:

This freeware utility is a powerful, easy-to-use FREE zip and unzip utility. 
It offers all the features you'd find in the commercial compression programs.



0x02 : Vulnerability details
Local Stack Overflow:

When the application receives a malicious '.zip' file it fails to properly sanitize the 'filename' section on the zip resulting in a stack based buffer overflow. 


0x03 : Vendor communication

 [*] 8th Apr, 2010 : Vendor contacted
 [*] 18th Apr, 2010 : Vendor reminded of vulnerability
 [*] 25th Apr, 2010 : No response
 [*] 25th Apr, 2010 : Public Disclosure



0x04 : Exploit/PoC

http://www.corelan.be:8800/advisories.php?id=CORELAN-10-032

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ