[CORELAN-10-026] TweakFS Zip Stack BOF

[Security <security () corelan be>]

Advisory        : CORELAN-10-026
Disclosure date : April 19th, 2010
CVE Reference   : CVE-2010-1458
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-026
 

00 : Vulnerability information 

 Product : TweakFS Zip Utility
 Version : 1.0 (latest version)
 Vendor : TweakFS
 URL : http://www.tweakfs.com/ 
 Platform : Windows
 Type of vulnerability : Stack buffer overflow
 Risk rating : High
 Issue fixed in version : not fixed
 Vulnerability discovered by : TecR0c
 Corelan Team :
 http://www.corelan.be:8800/index.php/security/corelan-team-members/



01 : Vendor description of software

"Create and Extract Zips TweakFS Zip Utility for FSX was designed to be a useful tool for unpacking Zip files 
downloaded from FS file libraries without the need for an existing 3rd-party Zip application, but the big handy feature 
is that it has a tree display of the Zip folder structure giving you a clear view of how the files will unpack and into 
which location."

 

02 : Vulnerability details

A flaw in how the application handles a overly long filename inside a zip file which an attacker can
utilize in a manner other than the designer intended. This allows the attacker to run arbitrary-code execution on 
the victims machine when a specially crafted zip file has been open within the application.

 

03 : Author/Vendor communication
 April 7, 2010 : author contacted
 April 16, 2010  : sent reminder
 April 19th, 2010 : No response, public disclosure


04: Proof of Concept
You can download a PoC exploit for XP SP3 from
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-026



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/