Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[CORELAN-10-020] - ZipScan 2.2c .zip file Stack BoF

From: Security <security () corelan be>
Date: Sun, 4 Apr 2010 00:14:43 +0200

|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security () corelan be |
|                                                                  | 
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory        : CORELAN-10-020
Disclosure date : April 3rd, 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-020

 
00 : Vulnerability information
-------------------------------------
 Product : ZipScan 2.2c
 Version : 2.2c (latest version)
 Vendor : contact () foobarsoftware com / http://www.zipscan.co.uk/
 URL : http://www.zipscan.co.uk/download.htm
 Platform : Windows
 Type of vulnerability : Stack overflow
 Risk rating : medium
 Issue fixed in version : not fixed
 Vulnerability discovered by : Lincoln
 Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/

 
01 : Vendor description of software
-------------------------------------

From the vendor website:

"ZipScan searches archive files. It can search Zip, CAB, RAR, ACE,
InstallShield CAB, JAR, TAR, GZIP, Z, ZOO, LZH, ARJ, CHM and
OpenOffice files, including password-protected, nested and
self-extracting archives. The program supports text searching and can
open and extract files."
 
02 : Vulnerability details
-------------------------------------
When a specially crafted zip file is opened from within ZipScan,
an exception handler gets overwritten, allowing to trigger arbitrary
code execution. 
The way to trigger the vulnerability :

 - open the zip file from within ZipScan : "File  - Open Archive File"
Or
 - Click "open archive file and view its contents"
 - double-click on the filename inside the zip file

 
03 : Author/Vendor communication
-------------------------------------
 March 23 2010 : author contacted
 March 20 2010 : sent reminder
 April 3 2010 : No response, public disclosure


04 : PoC
----------
 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-020

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: