[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] [CORELAN-10-016] - Ken Ward Zipper .zip 0day Stack BOF
- To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>, "secalert@xxxxxxxxxxxxxxxxxx" <secalert@xxxxxxxxxxxxxxxxxx>, "vuln@xxxxxxxxxxx" <vuln@xxxxxxxxxxx>
- Subject: [Full-disclosure] [CORELAN-10-016] - Ken Ward Zipper .zip 0day Stack BOF
- From: Security <security@xxxxxxxxxx>
- Date: Mon, 22 Mar 2010 10:08:51 +0100
|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| security@xxxxxxxxxx |
| |
|-------------------------------------------------[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|------------------------------------------------------------------|
Advisory : CORELAN-10-016
Disclosure date : March 23rd, 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-016
0x00 : Vulnerability information
--------------------------------
Product : Ken Ward's Zipper
Version : 4.60.019
Vendor/Author : Leung Yat Chun Joseph
URL : http://www.trans4mind.com/personal_development/zipper/
Platform : Windows (Tested on XP SP3 fully patched, inside VirtualBox)
Type of vulnerability : Stack Buffer Overflow
Risk rating : Medium
Issue fixed in version : <not fixed>
Vulnerability discovered by : corelanc0d3r
Corelan Team :
http://www.corelan.be:8800/index.php/security/corelan-team-members/
0x01 : Vendor description of software
-------------------------------------
>From the vendor website:
"Zipper is a free compression program, and you don't need to pay anything for
it. It doesn't contain pop-up ads or other annoying things. However, Zipper
isn't free to maintain and wasn't free to create, because it contains
commercial
components, and was build with programming software."
0x02 : Vulnerability details
----------------------------
In order for the vulnerability to be triggered, a user must be tricked into
opening a specially crafted zip file from within the application, and double
click on a filename inside the zip file, in an attempt to extract/view it.
After roughly 1022 bytes in the filename buffer, the exception handler was
overwritten, allowing an attacker to take full control over the application
flow, inject and execute arbitrary code on the machine.
The discovered vulnerability allows an attacker to execute arbitrary code
within the context of the currently logged on user.
0x03 : Vendor communication
---------------------------
March 16 : Author contacted
March 19 : Sent reminder
March 23 : No answer, Public disclosure
0x04 : Exploit/PoC
------------------
A detailed write-up about the process to build the exploit for this
vulnerability will be posted on www.abysssec.com on march 23rd, 2010
(afternoon - GMT+1)
Stay tuned (https://twitter.com/corelanc0d3r)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/