[NT] Lhaz LHA Long Filename Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Lhaz LHA Long Filename Buffer Overflow
------------------------------------------------------------------------


SUMMARY

Some vulnerabilities have been found in <http://www.chitora.jp/lhaz.html>
Lhaz. When exploited, the vulnerabilities allow execution of arbitrary
code when the user extracts a malicious LZH archive.

DETAILS

This advisory discloses two buffer overflow vulnerabilities in Lhaz. The
stack-based buffer overflow vulnerabilities occur when Lhaz is extracting
a LZH file that contains a compressed file with an overly long filename.

The first buffer overflow occurs due to Lhaz failing to validate the
length of the filename before copying it into a 260-bytes stack buffer.
The second overflow occurs when Lhaz is constructing an error message
containing the overly long filename using the unsafe "sprintf()" function.
Both buffer overflow vulnerabilities allow the saved EIP to be
overwritten. Arbitrary code execution has been confirmed using both
vulnerabilities.

NOTE: The first vulnerability is related to CVE-2004-0234 and
CVE-2004-0769, which was first reported by Ulf Harnhammar and Lukasz
Wojtow, since the LZH extraction code used in Lhaz is based on LHa for
UNIX version 1.14d.

In order to exploit the vulnerabilities successfully, the user must be
convinced to extract a malicious LZH file.

The buffer overflow vulnerabilities occur in a function that resembles the
following in Lhaz.exe.

// Possible modified version of extract_one() function.

sub_41D940(arg_0, arg_4, arg_8, arg_c)
{
DWORD var1;
time_t utimebuf[2];
struct stat stbuf;
char overflowedBuffer[MAX_PATH]; // 260-bytes
char loadStringBuf[0x20]; // 32-bytes
char textBuffer[0x100]; // 256-bytes

if(someFlag && strrstr(compressedFilename, '/'))
{
// Buffer Overflow when compressedFilename > 260-bytes. (including NULL)
// 552 bytes is required to overwrite saved EIP.

strcpy(overflowedBuffer, strrstr(compressedFilename, "/') + 1);
}
else
{
// Buffer Overflow when compressedFilename > 260-bytes. (including NULL)
// 552 bytes is required to overwrite saved EIP.

strcpy(overflowedBuffer, compressedFilename);
sub_529A70(overflowedBuffer, '/');
}

...
...
...
...
...
if (... && calculatedFileCRC != fileCRC)
{
LoadStringA(hInstance, 0x2A, &stbuf, 32);
LoadStringA(hInstance, 0x76, loadStringBuf, 32);

// This code may be Lhaz specific, and is executed only when the
compressed file can be
// extracted, but the CRC do not match.
// Note: The name of the compressed file must not be too long such that
it can't be
// created.

// Buffer overflow occurs due to unsafe use of sprintf() to construct
the
// "File ...compressFileName.... is damaged" error message.

sprintf(textBuffer, "%s %s %s", &stbuf, overflowedBuffer,
loadStringBuf);
MessageBox(hWnd, textBuffer, NULL, MB_OKCANCEL | MB_ICONEXCLAMATION |
MB_APPLMODAL);
}

...
...
}

Solution:
Upgrade to Lhaz version 1.32.

Disclosure Timeline:
2006-08-02 - Vulnerability Discovered.
2006-08-03 - Initial Vendor Notification.
2006-08-06 - Vendor Released Fixed Version.
2006-08-06 - Public Release.


ADDITIONAL INFORMATION

The information has been provided by <mailto:chewkeong@xxxxxxx> Tan Chew
Keong.
The original article can be found at: <http://vuln.sg/lhaz131-en.html>
http://vuln.sg/lhaz131-en.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages