[NT] Lhaplus LHA Extended Header Handling Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Lhaplus LHA Extended Header Handling Buffer Overflow
------------------------------------------------------------------------


SUMMARY

A vulnerability has been found in Lhaplus. When exploited, the
vulnerability allows execution of arbitrary code when the user extracts a
malicious LZH archive.

DETAILS

Vulnerable Systems:
* Lhaplus version 1.52 (Japanese)

Immune Systems:
* Lhaplus version 1.53

This advisory discloses a buffer overflow vulnerability in Lhaplus. The
heap-based buffer overflow occurs when Lhaplus is reading the extended
headers from a LZH file. Lhaplus does not validate the value of the
"extended header size" read from a LZH file before using it to read
extended-header data into a 256-bytes heap buffer. This causes a buffer
overflow when the value of "extended header size" is larger than 256.
Arbitrary code execution using the vulnerability has been confirmed on
Win2K SP4.

In order to exploit this vulnerability successfully, the user must be
convinced to extract a malicious LZH file.

The buffer overflow occurs in a function that resembles the following in
Lhaplus.exe.

sub_4B64C8()
{
...
...
struct HEADER *lzhHeader;
char *buffer;
char extendedHeaderType;
..
..
..
if(lzhHeader->headerLevel == 0)
{
...
}
else if(lzhHeader->headerLevel == 1)
{
...
}
else if(lzhHeader->headerLevel == 2)
{
readData(handle, 2, &(lzhHeader->fileCRC));
readData(handle, 1, &(lzhHeader->OSID));
...
}
else
{
...
}

if(lzhHeader->headerLevel == 1 || lzhHeader->headerLevel == 2)
{
buffer = allocateMem(0x100); // 256 bytes

// Extended header reading loop
while(true)
{
// Read Extended Header Size from LZH file
bytesread = readData(handle, 2, &(lzhHeader->extendedHeaderSize));

if(lzhHeader->extendedHeaderSize == 0 || bytesread == 0)
break;

readData(handle, 1, &extendedHeaderType);
if(bytesread == 0)
break;

clearMemory(buffer, 0x100);

// NOTE: "lzhHeader->extendedHeaderSize" is read from the LZH file
// and not sanitised.

// This causes a heap-based buffer overflow if the value of the
extended
// header size is > 0x100.

// Potential integer underflow can also occur due to the subtraction of
3
// from the extended header size value.

// i.e Must check lzhHeader->extendedHeaderSize > 3 and <= 0x100

bytesread = readData(handle, lzhHeader->extendedHeaderSize - 3,
buffer);
...
if(extendedHeaderType == 1)
{
...
}
else if(extendedHeaderType == 2)
{
...
}
}
}
...
}

By overwriting saved pointers on the heap using the buffer overflow, it is
possible to execute arbitrary code.

Disclosure Timeline:
2006-07-26 - Vulnerability Discovered.
2006-07-27 - Initial Vendor Notification.
2006-07-31 - Vendor Released Fixed Version.
2006-07-31 - Public Release.


ADDITIONAL INFORMATION

The information has been provided by <mailto:chewkeong@xxxxxxx> Tan Chew
Keong.
The original article can be found at: <http://vuln.sg/lhaplus152-en.html>
http://vuln.sg/lhaplus152-en.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [UNIX] SCO Multiple Local Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a buffer overflow vulnerability in the ppp binary, ... allows attackers to gain root privileges. ...
    (Securiteam)
  • [NEWS] 0verkill Buffer Overflow Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... $HOME environment variable demonstrates the buffer overflow, ... GNU gdb 5.0 ... vulnerability or to otherwise crash the program. ...
    (Securiteam)
  • [UNIX] Sun Microsystems Solaris ld.so doprf() Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Sun Microsystems Solaris ld.so 'doprf' Buffer Overflow Vulnerability ...
    (Securiteam)
  • [EXPL] Ethereal EIGRP Dissector Buffer Overflow Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... for the EIGRP Dissector buffer overflow is presented below. ... * This vulnerability was found by: ... static int ...
    (Securiteam)
  • [EXPL] Microsoft Windows XVoice.dll and Xlisten.dll Buffer Overflow (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An exploitable buffer overflow in Microsoft Windows' DirectSpeechSynthesis ... arbitrary code by overflowing the ModeName parameter of the ActiveX. ... Microsoft Windows DirectSpeechSynthesis Module ...
    (Securiteam)