OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] [CORELAN-10-026] TweakFS Zip Stack BOF

From: Security (securitycorelan.be)
Date: Mon Apr 19 2010 - 06:54:25 CDT


Advisory : CORELAN-10-026
Disclosure date : April 19th, 2010
CVE Reference : CVE-2010-1458
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-026
 

00 : Vulnerability information

 Product : TweakFS Zip Utility
 Version : 1.0 (latest version)
 Vendor : TweakFS
 URL : http://www.tweakfs.com/
 Platform : Windows
 Type of vulnerability : Stack buffer overflow
 Risk rating : High
 Issue fixed in version : not fixed
 Vulnerability discovered by : TecR0c
 Corelan Team :
 http://www.corelan.be:8800/index.php/security/corelan-team-members/

01 : Vendor description of software

"Create and Extract Zips TweakFS Zip Utility for FSX was designed to be a useful tool for unpacking Zip files downloaded from FS file libraries without the need for an existing 3rd-party Zip application, but the big handy feature is that it has a tree display of the Zip folder structure giving you a clear view of how the files will unpack and into which location."

 

02 : Vulnerability details

A flaw in how the application handles a overly long filename inside a zip file which an attacker can
utilize in a manner other than the designer intended. This allows the attacker to run arbitrary-code execution on
the victims machine when a specially crafted zip file has been open within the application.

 

03 : Author/Vendor communication
 April 7, 2010 : author contacted
 April 16, 2010 : sent reminder
 April 19th, 2010 : No response, public disclosure

04: Proof of Concept
You can download a PoC exploit for XP SP3 from
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-026

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/