[NT] DynaZip DZIP32.DLL/DZIPS32.DLL Buffer Overflow Vulnerabilities
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 26 Jul 2006 15:12:51 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
DynaZip DZIP32.DLL/DZIPS32.DLL Buffer Overflow Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.innermedia.com/> DynaZip is "a Zip and UnZip Data Compression
toolkits for Windows Developers". Some vulnerabilities have been found in
DynaZip DZIP32.DLL/DZIPS32.DLL. When exploited, the vulnerabilities allow
execution of arbitrary code when the user fixes (repairs) a malicious ZIP
archive, or add/update/freshen files in a malicious ZIP archive.
DETAILS
Vulnerable Systems:
* DynaZip Max (Evaluation Version) with DZIP32.DLL version 5.0.0.7
* DynaZip Max Secure (Evaluation Version) with DZIPS32.DLL version
6.0.0.4
Patch / Workaround:
Update to DZIP32.DLL version 5.0.0.8 or DZIPS32.DLL version 6.0.0.5.
Details:
This advisory discloses some buffer overflow vulnerabilities in DynaZip
DZIP32.DLL/DZIPS32.DLL. The stack-based buffer overflows occur when
DZIP32.DLL/DZIPS32.DLL is attempting to fix (repair) a ZIP archive that
contains a file with an overly long filename, or when attempting to
add/update/freshen files in a malicious ZIP archive. It is possible to
exploit the buffer overflows to execute arbitrary code.
In order to exploit this vulnerability successfully, the user must be
convinced to:
* Fix (Repair) a malicious ZIP file, or,
* Add, Update or Freshen a file to a malicious ZIP file.
The buffer overflows occur in DZIP32.DLL version 5.0.0.7 that is
distributed with DynaZip Max, and also exist in DZIPS32.DLL version
6.0.0.4 that is distributed with DynaZip Max Secure.
The buffer overflows occur in functions that resemble the following in
DZIP32.DLL/DZIPS32.DLL.
Buffer Overflow 1:
This function is called when the user "Fix" (Repair) an archive or "Add"
files to an archive.
func_20011D10(arg_0, arg_4, arg_8)
{
DWORD var1;
DWORD var2;
DWORD var3;
DWORD bytesToWrite;
DWORD bytesWritten;
char buffer[0x800]; // 2048 bytes
...
var1 = 0;
var2 = 0;
var3 = 0;
...
...
// Both cases will cause buffer overflow in "buffer"
// when filename of compressed file is > 2048 bytes
if(arg_8->someFlag == 0)
CharToOemA(arg_0->NameOfCompressedFile, buffer);
else
lstrcpyA(buffer, arg_0->NameOfCompressedFile);
...
...
...
}
Buffer Overflow 2:
This function in DZIP32.DLL will be called using the filename of the
compressed files in a ZIP archive when DZIP32.DLL is used to "Update" or
"Freshen" files in the archive. i.e. The filename argument contains the
filename of the compressed files in the ZIP archive.
func_2000C840(char *filename, arg_4, arg_8, arg_c)
{
DWORD unknown_var;
WORD fatTime;
WORD fatDate;
FILETIME localFileTime;
LPWIN32_FIND_DATA findFileData;
char buffer[0x800] // 2048 bytes
if(filename != NULL)
{
if(filename != arg_c->someVar)
{
strlen(filename);
if(filename != arg_c->someVar2)
{
// Buffer overflow in "buffer" when filename of
// compressed file is > 2048 bytes
lstrcpyA(buffer, filename);
...
...
...
...
}
}
}
}
Disclosure Timeline:
2006-07-04 - Vulnerability Discovered.
2006-07-12 - Initial Vendor Notification.
2006-07-12 - Initial Vendor Reply.
2006-07-23 - Fixed Versions Released.
2006-07-25 - Public Release.
ADDITIONAL INFORMATION
The information has been provided by <mailto:chewkeong@xxxxxxx> Tan Chew
Keong.
The original article can be found at:
<http://vuln.sg/dynazip5007-en.html> http://vuln.sg/dynazip5007-en.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Password Safe - Lock Password Database Configuration Not Enforced
- Next by Date: [NT] TurboZIP ZIP Repair Buffer Overflow
- Previous by thread: [NT] Password Safe - Lock Password Database Configuration Not Enforced
- Next by thread: [NT] TurboZIP ZIP Repair Buffer Overflow
- Index(es):
Relevant Pages
|
