Full Disclosure mailing list archives
[CORELAN-10-020] - ZipScan 2.2c .zip file Stack BoF
From: Security <security () corelan be>
Date: Sun, 4 Apr 2010 00:14:43 +0200
|------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security () corelan be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-020 Disclosure date : April 3rd, 2010 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-020 00 : Vulnerability information ------------------------------------- Product : ZipScan 2.2c Version : 2.2c (latest version) Vendor : contact () foobarsoftware com / http://www.zipscan.co.uk/ URL : http://www.zipscan.co.uk/download.htm Platform : Windows Type of vulnerability : Stack overflow Risk rating : medium Issue fixed in version : not fixed Vulnerability discovered by : Lincoln Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/ 01 : Vendor description of software -------------------------------------
From the vendor website:
"ZipScan searches archive files. It can search Zip, CAB, RAR, ACE, InstallShield CAB, JAR, TAR, GZIP, Z, ZOO, LZH, ARJ, CHM and OpenOffice files, including password-protected, nested and self-extracting archives. The program supports text searching and can open and extract files." 02 : Vulnerability details ------------------------------------- When a specially crafted zip file is opened from within ZipScan, an exception handler gets overwritten, allowing to trigger arbitrary code execution. The way to trigger the vulnerability : - open the zip file from within ZipScan : "File - Open Archive File" Or - Click "open archive file and view its contents" - double-click on the filename inside the zip file 03 : Author/Vendor communication ------------------------------------- March 23 2010 : author contacted March 20 2010 : sent reminder April 3 2010 : No response, public disclosure 04 : PoC ---------- http://www.corelan.be:8800/advisories.php?id=CORELAN-10-020 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [CORELAN-10-020] - ZipScan 2.2c .zip file Stack BoF Security (Apr 03)