[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] CORELAN-10-025 Archive Searcher .zip Stack Overflow
- To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>, "secalert@xxxxxxxxxxxxxxxxxx" <secalert@xxxxxxxxxxxxxxxxxx>, "vuln@xxxxxxxxxxx" <vuln@xxxxxxxxxxx>
- Subject: [Full-disclosure] CORELAN-10-025 Archive Searcher .zip Stack Overflow
- From: Security <security@xxxxxxxxxx>
- Date: Fri, 16 Apr 2010 08:20:23 +0200
Advisory : CORELAN-10-025
Disclosure date : April 16th, 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-025
00 : Vulnerability information
Product : Archive Searcher 2.1
Version : 2.1 (latest version)
Vendor : support@xxxxxxxxxxxx/ miniwish.com
URL : http://www.miniwish.com/
Platform : Windows
Type of vulnerability : Stack overflow
Risk rating : High
Issue fixed in version : not fixed
Vulnerability discovered by : Lincoln
Corelan Team :
http://www.corelan.be:8800/index.php/security/corelan-team-members/
01 : Vendor description of software
>From the vendor website:
"Archive Searcher© helps you finding out a file inside zip/ace/rar/cab
compressed files"
02 : Vulnerability details
When a specially crafted zip file is searched for by Archive Searcher, an
exception
handler gets overwritten, allowing to trigger arbitrary code execution.
No user intervention is required (except for searching for the file) to gain
code execution.
03 : Author/Vendor communication
March 28th 2010 : author contacted
April 7th 2010 : sent reminder
April 15th 2010 : No response, public disclosure
04: Proof-of Concept
A PoC is available here :
http://www.corelan.be:8800/wp-content/forum-file-uploads/ekse/public/exploits/archive_searcher.rb_.txt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/