exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WinArchiver 3.2 SEH Buffer Overflow

WinArchiver 3.2 SEH Buffer Overflow
Posted Sep 2, 2013
Authored by Pedro Guillen Nunez, Miguel Angel de Castro Simon, Josep Pi Rodriguez

WinArchiver version 3.2 suffers from a SEH-based buffer overflow vulnerability.

tags | advisory, overflow
advisories | CVE-2013-5660
SHA-256 | 6e206a8a5bb2693cb96ef406b23482f125a2165e42334ccf58a79646e69b5217

WinArchiver 3.2 SEH Buffer Overflow

Change Mirror Download
##############################################################################


- RealPentesting Advisory -

###############################################################################

Title: SEH BUFFER OVERFLOW IN WINARCHIVER V.3.2
Severity: Critical
History: 24.Apr.2013 Vulnerability reported
Authors: Josep Pi Rodriguez, Pedro Guillen Nuñez , Miguel Angel de Castro Simon
Organization: RealPentesting
URL: http://www.realpentesting.blogspot.com
Product: WinArchiver
Version: 3.2
Vendor: PowerSoftware
Url Vendor: http://winarchiver.com
Platform: Windows
Type of vulnerability: SEH buffer overflow
Issue fixed in version: (Not fixed)
CVE identifier: CVE-2013-5660

[ DESCRIPTION SOFTWARE ]

From vendor website:
WinArchiver is a powerful archive utility, which can open, create, and manage archive files. It supports almost all archive formats, including zip, rar, 7z, iso, and other popular formats. WinArchiver can also mount the archive to a virtual drive without extraction.

[ VULNERABILITY DETAILS ]

WinArchiver suffers from a SEH based overflow
Above you can see the debugged process after the seh overflow. As you can see in the bold letters the structure exception handler (seh) has overwritten by 00410041 which is manipulated by us. The proof of concept .zip file is attached in this mail. You have to open the .zip with WinArchiver and click the extract button in order to trigger the vulnerability.

Registers
---------
eax=00000041 ebx=000017a6 ecx=043b0000 edx=7fffdf41 esi=043aed84 edi=043aed58
eip=004e64cb esp=043ae8cc ebp=043ae8d0 iopl=0 nv up ei pl nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213
*** ERROR: Module load completed but symbols could not be loaded for C:\Archivos de Programa\WinArchiver\WinArchiver.exe
WinArchiver+0xe64cb:
004e64cb 668901 mov word ptr [ecx],ax ds:0023:043b0000=????
Seh chain
----------
!exchain
043aff0c: WinArchiver+10041 (00410041)
Invalid exception stack at 00410041

By opening a specially crafted zip file, it is possible to execute arbitrary code.We can sucesfully exploit the vulnerability in order to gain code execution.

[ VENDOR COMMUNICATION ]

20/04/2013 : vendor contacted.No response
24/04/2013 : vendor contacted again.No response
29/04/2013: PUBLIC DISCLOSURE

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close