[Full-Disclosure] [HV-MED] Zip/Linux long path buffer overflow

vuln_at_hexview.com
Date: 11/04/04

  • Next message: Shoshannah Forbes: "Re: [Full-Disclosure] Who wrote Sobig?"
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
    Date: Wed, 3 Nov 2004 15:11:29 -0800
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Zip/Linux long path buffer overflow

    Classification:
    ===============
    Level: low-[MED]-high-crit
    ID: HEXVIEW*2004*11*03*1
    URL: http://www.hexview.com/docs/20041103-1.txt

    Overview:
    =========
    Zip console application by Info-Zip (http://www.info-zip.org) is an
    open-source software and part of many Linux distributions.
    A buffer overflow condition can be triggered and exploited during
    recursive compression operation.

    Affected products:
    ==================
    HexView tested the issue using Zip 2.3 which comes as "zip" package
    with Debian Linux. Possibly all earlier Info-Zip versions are vulnerable.
    Info-Zip applications for other operating systems are also vulnerable,
    but depending on operating system and file system restrictions, the
    vulnerability may or may not be triggered or exploited.

    Cause and Effect:
    =================
    When zip performs recursive folder compression, it does not check
    for the length of resulting path. If the path is too long, a buffer
    overflow occurs leading to stack corruption and segmentation fault.
    It is possible to exploit this vulnerability by embedding a shellcode
    in directory or file name. While the issue is not of primary concern
    for regular users, it can be critical for environments where zip archives
    are re-compressed automatically using Info-Zip application.

    Demonstration:
    ==============
    The issue can be reproduced by following these steps:
    1. Create an 8-level directory structure, where each directory name is
       256 characters long (we used 256 'a' characters).
    2. run "zip -r file.zip *". The application will crash with
        "segmentation fault"
    3. run "gdb -core core `which zip`" (assuming core drop is enabled)
    4. type "where" and hit Enter. Here is what you'll see:

    Program terminated with signal 11, Segmentation fault.
    [garbage truncated]
    #0 0x0805108e in error ()
    #1 0x61616161 in ?? ()
    #2 0x61616161 in ?? ()
    #3 0x61616161 in ?? ()

    Vendor Status:
    ==============
    HexView tried to notify vendor using vendor-provided e-mail address
    (zip-bugs@lists.wku.edu) on 2004-10-03. The mail was returned back
    as undeliverable.

    About HexView:
    ==============
    HexView contributes to online security-related lists for almost a
    decade. The scope of our expertize spreads over Windows, Linux, Sun,
    MacOS platforms, network applications, and embedded devices. The chances
    are you read our advisories or disclosures. For more information visit
    http://www.hexview.com

    Distribution:
    =============
    This document may be freely distributed through any channels as long as
    the contents are kept unmodified. Commercial use of the information in
    the document is not allowed without written permission from HexView
    signed by our pgp key.

    HexView Disclosure Policy:
    ==========================
    HexView notifies vendors that have publicly available contact e-mail 24
    hours before disclosing any information to the public. If we are unable
    to find vendor's e-mail address or if no reply is received within 24
    hours, HexView will publish vulnerability notification including all
    technical details unless the issue is rated as "critical". If vendor
    does not reply within 72 hours, HexView may disclose all details for
    critical vulnerabilities as well.

    If vendor replies within the above mentioned time period, HexView will
    announce the vulnerability, but will not disclose the details required
    to reproduce it. HexView will also specify the date when full disclosure
    containing all the details will be published. The time period between
    announcement and full disclosure is 30 days unless there is an agreement
    with vendor and appropriate justification for extension. If vendor
    resolves the issue earlier than 30 days after announcement, HexView will
    publish full disclosure as soon as the fix is available to the public.

    HexView also reserves the right to publish any detail of any
    vulnerability at any time.

    Feedback and comments:
    ======================
    Feedback and questions about this disclosure are welcome at
    vtalk@hexview.com
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (GNU/Linux)

    iD8DBQFBiWR3DPV1+KQrDqQRAoGdAJ9ii5vJ+jCyT3le7mko6dHXxJ1H4wCgsfDq
    SYo6Nb0wIbEm5HAxMRRFtxg=
    =7Jjm
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Shoshannah Forbes: "Re: [Full-Disclosure] Who wrote Sobig?"

    Relevant Pages

    • Open-Xchange Security Advisory 2013-03-13
      ... The vendor has chosen responsible full disclosure to publish security issue details. ... Vulnerability Type: Cross Site Scripting ... Internal reference: 24649 ...
      (Bugtraq)
    • [HV-MED] Zip/Linux long path buffer overflow
      ... HexView tested the issue using Zip 2.3 which comes as "zip" package ... It is possible to exploit this vulnerability by embedding a shellcode ... HexView tried to notify vendor using vendor-provided e-mail address ... HexView will also specify the date when full disclosure ...
      (Bugtraq)
    • [HV-MED] Zip/Linux long path buffer overflow
      ... HexView tested the issue using Zip 2.3 which comes as "zip" package ... It is possible to exploit this vulnerability by embedding a shellcode ... HexView tried to notify vendor using vendor-provided e-mail address ... HexView will also specify the date when full disclosure ...
      (Full-Disclosure)
    • [Full-Disclosure] [HV-MED] Zip/Linux long path buffer overflow
      ... HexView tested the issue using Zip 2.3 which comes as "zip" package ... It is possible to exploit this vulnerability by embedding a shellcode ... HexView tried to notify vendor using vendor-provided e-mail address ... HexView will also specify the date when full disclosure ...
      (Full-Disclosure)
    • Re: Using 0days as part of pen-test?
      ... the client the option to determine how the vendor gets notified. ... vulnerability information you discover during ... The legal issue isn't the disclosure process, you can act as "legal entity" ... security threats until the vendor release a patch. ...
      (Pen-Test)