Full Disclosure mailing list archives
[CORELAN-10-016] - Ken Ward Zipper .zip 0day Stack BOF
From: Security <security () corelan be>
Date: Mon, 22 Mar 2010 10:08:51 +0100
|------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security () corelan be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-016 Disclosure date : March 23rd, 2010 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-016 0x00 : Vulnerability information -------------------------------- Product : Ken Ward's Zipper Version : 4.60.019 Vendor/Author : Leung Yat Chun Joseph URL : http://www.trans4mind.com/personal_development/zipper/ Platform : Windows (Tested on XP SP3 fully patched, inside VirtualBox) Type of vulnerability : Stack Buffer Overflow Risk rating : Medium Issue fixed in version : <not fixed> Vulnerability discovered by : corelanc0d3r Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/ 0x01 : Vendor description of software -------------------------------------
From the vendor website:
"Zipper is a free compression program, and you don't need to pay anything for it. It doesn't contain pop-up ads or other annoying things. However, Zipper isn't free to maintain and wasn't free to create, because it contains commercial components, and was build with programming software." 0x02 : Vulnerability details ---------------------------- In order for the vulnerability to be triggered, a user must be tricked into opening a specially crafted zip file from within the application, and double click on a filename inside the zip file, in an attempt to extract/view it. After roughly 1022 bytes in the filename buffer, the exception handler was overwritten, allowing an attacker to take full control over the application flow, inject and execute arbitrary code on the machine. The discovered vulnerability allows an attacker to execute arbitrary code within the context of the currently logged on user. 0x03 : Vendor communication --------------------------- March 16 : Author contacted March 19 : Sent reminder March 23 : No answer, Public disclosure 0x04 : Exploit/PoC ------------------ A detailed write-up about the process to build the exploit for this vulnerability will be posted on www.abysssec.com on march 23rd, 2010 (afternoon - GMT+1) Stay tuned (https://twitter.com/corelanc0d3r) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [CORELAN-10-016] - Ken Ward Zipper .zip 0day Stack BOF Security (Mar 22)