NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2010-04

[Full-disclosure] [CORELAN-10-032] - Easyzip 2000 .zip Stack BOF

From: Security (securitycorelan.be)
Date: Sun Apr 25 2010 - 03:28:31 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| securitycorelan.be |
| |
|-------------------------------------------------[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|------------------------------------------------------------------|

Advisory : CORELAN-10-032
Disclosure date : 21st Apr 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-032

0x00 : Vulnerability information

[+] Product : Easyzip 2000
[+] Version : 3.5
[+] Vendor : http://www.thefreesite.com/
[+] URL : http://www.thefreesite.com/ezip35.exe
[+] Type of vulnerability : Local Buffer Overflow
[+] Risk rating : High
[+] Issue fixed in version : none
[+] Vulnerability discovered by : mr_me
[+] Greetings to : The Corelan Security Team (http://www.corelan.be:8800/index.php/security/corelan-team-members/)

0x01 : Vendor description of software

>From the vendor website:

This freeware utility is a powerful, easy-to-use FREE zip and unzip utility.
It offers all the features you'd find in the commercial compression programs.

0x02 : Vulnerability details
Local Stack Overflow:

When the application receives a malicious '.zip' file it fails to properly sanitize the 'filename' section on the zip resulting in a stack based buffer overflow.

0x03 : Vendor communication

[*] 8th Apr, 2010 : Vendor contacted
[*] 18th Apr, 2010 : Vendor reminded of vulnerability
[*] 25th Apr, 2010 : No response
[*] 25th Apr, 2010 : Public Disclosure

0x04 : Exploit/PoC

http://www.corelan.be:8800/advisories.php?id=CORELAN-10-032

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]