[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [CORELAN-10-020] - ZipScan 2.2c .zip file Stack BoF

To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>, "secalert@xxxxxxxxxxxxxxxxxx" <secalert@xxxxxxxxxxxxxxxxxx>, "vuln@xxxxxxxxxxx" <vuln@xxxxxxxxxxx>
Subject: [Full-disclosure] [CORELAN-10-020] - ZipScan 2.2c .zip file Stack BoF
From: Security <security@xxxxxxxxxx>
Date: Sun, 4 Apr 2010 00:14:43 +0200

|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@xxxxxxxxxx |
|                                                                  | 
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory        : CORELAN-10-020
Disclosure date : April 3rd, 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-020

 
00 : Vulnerability information
-------------------------------------
 Product : ZipScan 2.2c
 Version : 2.2c (latest version)
 Vendor : contact@xxxxxxxxxxxxxxxxxx / http://www.zipscan.co.uk/
 URL : http://www.zipscan.co.uk/download.htm
 Platform : Windows
 Type of vulnerability : Stack overflow
 Risk rating : medium
 Issue fixed in version : not fixed
 Vulnerability discovered by : Lincoln
 Corelan Team : 
http://www.corelan.be:8800/index.php/security/corelan-team-members/

 
01 : Vendor description of software
-------------------------------------
>From the vendor website:
"ZipScan searches archive files. It can search Zip, CAB, RAR, ACE,
InstallShield CAB, JAR, TAR, GZIP, Z, ZOO, LZH, ARJ, CHM and
OpenOffice files, including password-protected, nested and
self-extracting archives. The program supports text searching and can
open and extract files."
 
02 : Vulnerability details
-------------------------------------
When a specially crafted zip file is opened from within ZipScan,
an exception handler gets overwritten, allowing to trigger arbitrary
code execution. 
The way to trigger the vulnerability :

 - open the zip file from within ZipScan : "File  - Open Archive File"
Or
 - Click "open archive file and view its contents"
 - double-click on the filename inside the zip file

 
03 : Author/Vendor communication
-------------------------------------
 March 23 2010 : author contacted
 March 20 2010 : sent reminder
 April 3 2010 : No response, public disclosure


04 : PoC
----------
 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-020

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Check those default iPhone settings...
Next by Date: [Full-disclosure] How to Detect Malware from Proxy Log(ISA,squid)
Previous by thread: [Full-disclosure] Check those default iPhone settings...
Next by thread: [Full-disclosure] How to Detect Malware from Proxy Log(ISA,squid)
Index(es):
- Date
- Thread