[NT] WinZip MIME Parsing Buffer Overflow

• Previous message: SecuriTeam: "[NT] FreeChat DoS Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 1 Mar 2004 18:52:47 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  WinZip MIME Parsing Buffer Overflow
------------------------------------------------------------------------

SUMMARY

 <http://www.winzip.com> WinZip is an archiving utility for the Microsoft
Windows platform featuring built-in support for CAB files and for popular
Internet file formats such as TAR, gzip, UUencode, BinHex, and MIME. ARJ,
LZH, and ARC files are supported via external programs.

A buffer overflow vulnerability exists in WinZip and allows arbitrary code
execution on the target machine when long strings are provided to certain
parameters of MIME archives.

DETAILS

Vulnerable Systems:
 * WinZip version 8.1 SR-1, possibly prior versions
 * WinZip version 9.0 latest beta

Immune Systems:
 * WinZip version 9.0

The problem is located in the UUDeview package which is responsible for
performing various decoding features. When providing long strings to
certain parameters of MIME archives (.mim, .uue, .uu, .b64, .bhx, .hqx and
xxe extensions) WinZip will crash referencing an "internal error in file
misc.c line 132". Analysis of the log file created by WinZip upon crash
reveals:

Return address = 0x0041a923
Return address = 0x0044c06c
Return address = 0x41414141

While the offending instruction is located at:

0049c332: mov dword ptr [ecx+08], edi

Both the ECX and EDI registers are user controllable and thus allow a user
to craft a MIME archive that can execute code on the target machine. For
successful exploitation, a victim has to be convinced to open the crafted
MIME archive and must have a vulnerable version of WinZip.

Workaround
User awareness is the best method of defense against this class of attack.
Users must be wary when opening attachments or following links from
untrusted sources. Removal of the extension handler for vulnerable file
types can prevent exploitation from double clicking on what may appear to
be a harmless WinZip archive. This can be done from Windows Explorer using
the Tools -> Folder Options.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE Security Advisory.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] FreeChat DoS Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]