Full Disclosure mailing list archives

[CORELAN-10-032] - Easyzip 2000 .zip Stack BOF

From: Peter Van Eeckhoutte <peter.ve () corelan be>
Date: Sun, 25 Apr 2010 10:07:00 +0200

|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security () corelan be |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory : CORELAN-10-032
Disclosure date : 21st Apr 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-032


0x00 : Vulnerability information

 [+] Product : Easyzip 2000
 [+] Version : 3.5
 [+] Vendor : http://www.thefreesite.com/
 [+] URL : http://www.thefreesite.com/ezip35.exe
 [+] Type of vulnerability : Local Buffer Overflow
 [+] Risk rating : High
 [+] Issue fixed in version : none
 [+] Vulnerability discovered by : mr_me
 [+] Greetings to : The Corelan Security Team (http://www.corelan.be:8800/index.php/security/corelan-team-members/)



0x01 : Vendor description of software

From the vendor website:


This freeware utility is a powerful, easy-to-use FREE zip and unzip utility.
It offers all the features you'd find in the commercial compression programs.



0x02 : Vulnerability details
Local Stack Overflow:

When the application receives a malicious '.zip' file it fails to properly sanitize the 'filename' section on the zip 
resulting in a stack based buffer overflow.


0x03 : Vendor communication

 [*] 8th Apr, 2010 : Vendor contacted
 [*] 18th Apr, 2010 : Vendor reminded of vulnerability
 [*] 25th Apr, 2010 : No response
 [*] 25th Apr, 2010 : Public Disclosure



0x04 : Exploit/PoC

http://www.corelan.be:8800/advisories.php?id=CORELAN-10-032

This transmission is intended only for use by the intended recipient(s).  If you are not an intended recipient you 
should not read, disclose, copy, circulate or in any other way use the information contained in this transmission.  The 
information contained in this transmission may be confidential and/or privileged.  If you have received this 
transmission in error, please notify the sender immediately and delete this transmission including any attachments.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

[CORELAN-10-032] - Easyzip 2000 .zip Stack BOF Security (Apr 25)
- <Possible follow-ups>
- [CORELAN-10-032] - Easyzip 2000 .zip Stack BOF Peter Van Eeckhoutte (Apr 25)
- [CORELAN-10-032] - Easyzip 2000 .zip Stack BOF jeff smith (Apr 26)
  - Re: [CORELAN-10-032] - Easyzip 2000 .zip Stack BOF Benji (Apr 26)