Full Disclosure mailing list archives
[CORELAN-10-031] - ZipWrangler 1.2 .zip Stack Buffer Overflow
From: Security <security () corelan be>
Date: Sat, 24 Apr 2010 17:26:48 +0200
|------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security () corelan be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-031 Disclosure date : April 24th, 2010 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-031 00 : Vulnerability information Product : Zip Wrangler Version : 1.20 Vendor/Author : CursorArts URL : http://www.cursorarts.com/ca_zw.html Platform : Windows (Tested on XP SP3 fully patched) Type of vulnerability : Stack Buffer Overflow Risk rating : High Issue fixed in version : <not fixed> Vulnerability discovered by : TecR0c Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/ 01 : Vendor description of software
From the vendor website:
"ZipWrangler: The simple, quick and free way to extract and create your own zip and other archive files. Use ZipWrangler's Viewer to take a look into these files before you decide whether or not to run or extract the contents. You can also Run program from within the archive without extracting. And you can use ZipWrangler to easily create your own compressed files for making them faster to send over the internet or by e-mail" 02 : Vulnerability details A flaw in how the application handles a overly long zip filename which an attacker can utilize in a manner other than the designer intended. Since the SE Handler can be overwritten an attacker can take full control over the application flow, inject and execute arbitrary code on the machine. The attacker will be able to gain the same rights as the user running the application. 03 : Vendor communication April 10 : Author contacted April 18 : Sent reminder April 25 : No answer, Public disclosure 04 : Exploit PoC Download Here : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-031 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [CORELAN-10-031] - ZipWrangler 1.2 .zip Stack Buffer Overflow Security (Apr 24)