Full Disclosure mailing list archives
[CORELAN]-10-018 - TugZip 3.5
From: Lincoln <lincoln.blogger () gmail com>
Date: Thu, 1 Apr 2010 16:01:45 -0700
|------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | | |-------------------------------------------------[ EIP Hunters ]--| Advisory : CORELAN-10-018 Disclosure date : April 1st, 2010 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-018 00 : Vulnerability information Product : TugZip Version : 3.5.0.0 (latest version) Vendor : Christian Kindahl / tugzip.com URL : http://www.tugzip.com/index.php?page=downloads Platform : Windows Type of vulnerability : Stack overflow Risk rating : High Issue fixed in version : <not fixed> Vulnerability discovered by : Lincoln Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/ 01 : Vendor description of software
From the vendor website:
"TUGZip is a powerful award-winning freeware archiving utility for Windows that provides support for a wide range of compressed, encoded and disc-image files, as well as very powerful features; all through an easy to use application interface and Windows Explorer integration.Try this great free archiving utility!" 02 : Vulnerability details When a specially crafted zip file is opened by TugZip, an exception handler gets overwritten, allowing to trigger arbitraty code execution. There are a few ways to trigger the vulnerability : - open the zip file from within TugZip - associate zip files with TugZip and double-click on the zip file - associate zip files with TugZip and open a zip file from a URL No user intervention is required (except for opening the file) to gain code execution. 03 : Author/Vendor communication March 23 2010 : author contacted March 28 2010 : sent reminder April 1 2010 : No response, public disclosure _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [CORELAN]-10-018 - TugZip 3.5 Lincoln (Apr 02)