Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

def-2001-09: Winzip32 zipandemail Buffer Overflow

From: Peter Gründl <peter.grundl () DEFCOM COM>
Date: Fri, 2 Mar 2001 14:35:41 +0100
======================================================================
                  Defcom Labs Advisory def-2001-09

                Winzip32 zipandemail Buffer Overflow

Author: Peter Gründl <peter.grundl () defcom com>
Release Date: 2001-03-02
======================================================================
------------------------=[Brief Description]=-------------------------
Winzip contains an exploitable buffer overflow flaw that could allow
an attacker to execute arbitrary code under the user context of the
user or service running winzip.

------------------------=[Affected Systems]=--------------------------
- Winzip 8.0 for Windows NT/2000

----------------------=[Detailed Description]=------------------------
The /zipandemail option in winzip contains a buffer overflow flaw when
handling very long filenames. The EIP is overwritten and a carefully
crafted filename could allow for execution of arbitrary code.

The probability of this happening "in the wild" is very low, as the
overflow only triggers if winzip is used with this option.

Theoretically, this could occur when a .jpg with a malformed filename
is 'zipped and emailed'. Alternatively if an attacker managed to place
a malicious file in the log directory on an automated logging system´
then the automated zipping and emailing of the log would trigger the
overflow.

---------------------------=[Workaround]=-----------------------------
Don't use the /zipandemail function indescrimantely before a fix has
been released.

-------------------------=[Vendor Response]=--------------------------
The Vendor was contacted December 18th, 2000 and replied:

"Hopefully this will be corrected in the next version, fortunately this
doesn't seem to a problem that many people will run into."

We agree with this statement, yet, feel that people using winzip for
eg. automated log collecting should be aware of this flaw.

======================================================================
            This release was brought to you by Defcom Labs

              labs () defcom com             www.defcom.com
======================================================================
Previous By Date Next
Previous By Thread Next

Current thread: