SEC Consult Vulnerability Lab Security Advisory < 20180207-0 >
=======================================================================
              title: Multiple buffer overflow vulnerabilities
            product: InfoZip UnZip
 vulnerable version: UnZip <= 6.00 / UnZip <= 6.1c22
      fixed version: 6.10c23
         CVE number: CVE-2018-1000031,CVE-2018-1000032,CVE-2018-1000033
                     CVE-2018-1000034,CVE-2018-1000035
             impact: high
           homepage: http://www.info-zip.org/UnZip.html
              found: 2017-11-03
                 by: R. Freingruber (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"UnZip is an extraction utility for archives compressed in .zip format (also
called "zipfiles"). Although highly compatible both with PKWARE's PKZIP and
PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip program, our
primary objectives have been portability and non-MSDOS functionality.
UnZip will list, test, or extract files from a .zip archive, commonly found
on MS-DOS systems. The default behavior (with no options) is to extract into
the current directory (and subdirectories below it) all files from the
specified zipfile."

Source: http://www.info-zip.org/UnZip.html

InfoZip's UnZip is used as default utility for uncompressing ZIP archives
on nearly all *nix systems. It gets shipped with many commerical products on
Windows to provide (un)compressing functionality as well.


Business recommendation:
------------------------
InfoZip Unzip should be updated to the latest available version.


Vulnerability overview/description:
-----------------------------------
1) Heap-based buffer overflow in password protected ZIP archives (CVE-2018-1000035)

InfoZip's UnZip suffers from a heap-based buffer overflow when uncompressing
password protected ZIP archives. An attacker can exploit this vulnerability
to overwrite heap chunks to get arbitrary code execution on the target system.

For newer builds the risk for this vulnerability is partially mitigated
because modern compilers automatically replace unsafe functions with length
checking variants of the same function (for example sprintf gets replaced
by sprintf_chk). This is done by the compiler at locations were the length
of the destination buffer can be calculated.

Nevertheless, it must be mentioned that UnZip is used on many systems
including older systems or on exotic architectures on which this protection
is not in place. Moreover, pre-compiled binaries which can be found on the
internet lack the protection because the last major release of InfoZip's
UnZip was in 2009 and compilers didn't enable this protection per default at
that time. The required compiler flags are also not set in the Makefile of
UnZip. Compiled applications are therefore only protected if the used compiler
has this protection enabled per default which is only the case with modern
compilers.

To trigger this vulnerability (and the following) it's enough to uncompress
a manipulated ZIP archive. Any of the following invocations can be used to
trigger and abuse the vulnerabilities:

>unzip malicious.zip
>unzip -p malicious.zip
>unzip -t malicious.zip

2) Heap-based out-of-bounds write (CVE-2018-1000031)

This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip).
InfoZip's UnZip suffers from a heap-based out-of-bounds write if the
archive filename does not contain a .zip suffix.

3) Heap/BSS-based buffer overflow (Bypass of CVE-2015-1315) (CVE-2018-1000032)

This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip).
InfoZip's UnZip suffers from a heap/BSS-based buffer-overflow which
can be used to write null-bytes out-of-bound when converting
attacker-controlled strings to the local charset.

4) Heap out-of-bounds access in ef_scan_for_stream (CVE-2018-1000033)

This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip).
InfoZip's UnZip suffers from a heap out-of-bounds access
vulnerability.

5) Multiple vulnerabilities in the LZMA compression algorithm (CVE-2018-1000034)

This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip).
InfoZip's UnZip suffers from multiple vulnerabilities in the LZMA
implementation. Various crash dumps have been supplied to the vendor
but no further analysis has been performed.


Proof of concept:
-----------------
1) Heap-based buffer overflow in password protected ZIP archives (CVE-2018-1000035)

Unzipping a malicious archive results in the following output:
(On Ubuntu 16.04 with UnZip 6.0 which was installed via aptitude install unzip)

*** buffer overflow detected ***: unzip terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x*****)[0x************]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x**)[0x************]
/lib/x86_64-linux-gnu/libc.so.6(+0x*****)[0x************]
/lib/x86_64-linux-gnu/libc.so.6(+0x*****)[0x************]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0x**)[0x************]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x**)[0x************]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x**)[0x************]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x**)[0x************]
unzip[0x40c02b]
unzip[0x4049ac]
unzip[0x40762c]
unzip[0x409b60]
unzip[0x411175]
unzip[0x411bdf]
unzip[0x404191]

Function names can be mapped to the backtrace by compiling the application
with debug symbols:

(gdb) backtrace
#0  0x000000000040c706 in UzpPassword ()
#1  0x00000000004043ce in decrypt ()
#2  0x000000000040731c in extract_or_test_entrylist ()
#3  0x00000000004094af in extract_or_test_files ()
#4  0x00000000004149a5 in do_seekable ()
#5  0x000000000041540f in process_zipfiles ()
#6  0x0000000000403921 in unzip ()

The vulnerability resides inside the UzpPassword function in the following
code snippet (file ./fileio.c):

[1591]  if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
[1592]    sprintf(prompt, LoadFarString(PasswPrompt),
[1593]          FnFilter1(zfn), FnFilter2(efn));
...
[1595]  }          
          
The allocation at line 1591 allocates a fixed size buffer and then writes into
it at line 1592. It writes the following format string (PasswPrompt) into
the buffer: "[%s] %s password: "

This string has a length of 15 including the null-termination which explains
the +15 in the allocation. The developer allocated 2*FILENAMESIZ which
corresponds to 2 * PATH_MAX for the two format strings (zfn and efn).
zfn is the archive filename and can therefore not exceed PATH_MAX.
efn is the current processed filename inside the ZIP archive which should
typically be smaller than PATH_MAX for normal files. However, since an
attacker can manipulate the archive file the name can arbitrarily be chosen
which leads to a heap-based buffer overflow.

As already mentioned, modern compilers replace unsafe functions with
safe alternatives as a defense in depth mechanism.
This feature is called BOSC (Built-in object size checking) and is part
of the FORTIFY_SOURCE=2 protection.
The following link shows the source code (and vulnerability) inside
the Ubuntu package:
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/unzip/trusty-updates/view/head:/fileio.c#L1593

By checking the installed compiled binary the following code can be seen:
(UnZip 6.0 from Ubuntu 16.04)

0x40bfc6:    mov    edi,0x200f
0x40bfcb:    mov    r13,r8
0x40bfce:    mov    QWORD PTR [rsp+0x8],r9
0x40bfd3:    call   0x401d30 <malloc@plt>
...
0x40c01a:    mov    edx,0x200f
0x40c01f:    mov    esi,0x1
0x40c024:    xor    eax,eax
0x40c026:    call   0x401f40 <__sprintf_chk@plt>

The code allocates 0x200f (=4096*2 + 15) bytes but the unsafe sprintf
function was replaced with the length-checking sprintf_chk() function
which receives as argument the size of the buffer (0x200f at address
0x40c01a). The risk is therefore mitigated on Ubuntu (and other modern
operating systems), at least with the currently used compiler default flags.

However, many pre-compiled UnZip binaries can be found on the internet
which are not compiled with this protection.
For example, the following three links are the first links which can be
found when searching for InfoZip UnZIP on the internet and which contain
unprotected binaries:
http://gnuwin32.sourceforge.net/packages/unzip.htm
https://oss.oracle.com/el4/unzip/unzip.tar
http://www.willus.com/archive/zip64/


2) Heap-based out-of-bounds write (CVE-2018-1000031)

When uncompressing ZIP archives the following code gets executed
(file fileio.c:345 function set_zipfn_sgmnt_name() in UnZip 6.1c22):

#define SGMNT_NAME_BOOST 8
...
  if (G.zipfn_sgmnt == NULL)
  {
[1]    G.zipfn_sgmnt_size = (int)strlen(G.zipfn)+ SGMNT_NAME_BOOST;
    if ((G.zipfn_sgmnt = izu_malloc(G.zipfn_sgmnt_size)) == NULL)
  ...
[2]  zfstrcpy(G.zipfn_sgmnt, G.zipfn);
  /* Expect to find ".zXX" at the end of the segment file name. */
[3]  sufx_len = IZ_MAX( 0, ((int)strlen(G.zipfn_sgmnt)- 4));
[4]  suffix = G.zipfn_sgmnt+ sufx_len;
  ...
  else  // No .zip extension
  {
[5]    zfstrcpy( (suffix+ sufx_len), ZSUFX);
[6]    suffix += sufx_len+ 2;
  }
  /* Insert the next segment number into the file name (G.zipfn_sgmnt). */
[7]  sprintf(suffix, "%02d", (sgmnt_nr+ 1));

G.zipfn is the filename / path of the archive file. Line [1] allocates space
for this name plus 8 (SGMNT_NAME_BOOST). Line [2] copies the name.
[3] and [4] calculate the end address minus 4 which should point to a suffix
if one is present. After [4] the variable suffix already points to this
address. However, line [5] adds sufx_len again to suffix, the write target
is therefore the base address + 2*(allocation_length - 4) but the buffer
can only hold allocation_len bytes.
Line [7] is another out-of-bounds write because of line [6].

Memory trace of the crash:
#1 0xf7af3c2f in memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8ac2f)
#2 0x80969be in set_zipfn_sgmnt_name unzip610c22/fileio.c:424
#3 0x808eb82 in find_local_header unzip610c22/extract.c:4469
#4 0x808eb82 in extract_or_test_entrylist unzip610c22/extract.c:4745
#5 0x808eb82 in extract_or_test_files unzip610c22/extract.c:5698
#6 0x80cf6ca in extract_archive_seekable unzip610c22/process.c:1314
#7 0x80cf6ca in extract_archive unzip610c22/process.c:1465
#8 0x80d5676 in process_zipfiles unzip610c22/process.c:2033
#9 0x80636a2 in unzip unzip610c22/unzip.c:1840
#10 0x804a5b6 in main unzip610c22/unzip.c:1280
#11 0xf78cb636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

Please note that this vulnerability must not lead to a crash. If the
overwritten memory is not used, the program works as expected.


3) Heap/BSS-based buffer overflow (Bypass of CVE-2015-1315) (CVE-2018-1000032)

During parsing ZIP archives the function charset_to_intern() can be called
(unix/Unix.c:2427) with the "string" argument pointing to attacker
controlled data. This function converts the string in-place to another
charset (string is an INOUT argument).

The following code performs this task in the function:
[1]    slen = strlen(string);
[2]    s = string;
[3]    dlen = buflen = 2 * slen;
[4]    d = buf = izu_malloc(buflen + 1);
    if (d)
    {
[5]      memset( buf, 0, buflen);

      /* 2015-02-12 William Robinet, SMS.  CVE-2015-1315.
       * Added FILNAMSIZ check to avoid buffer overflow. Better would
       * be to pass in an actual destination buffer size.
       */
[6]      if ((iconv(cd, &s, &slen, &d, &dlen) != (size_t)-1) &&
[7]       (strlen(buf) < FILNAMSIZ))
      {
[8]        strncpy(string, buf, buflen);
      }
      izu_free(buf);
    }
    
The input string pointer is stored in the variable "string" and "s" (see [2]).
Line [6] tries to convert the input ("s") via iconv() to another charset.
The destination is "d" / "buf" (see line [4]).
This destination buffer has a size of two times the input length plus one ([3]).

The first problem can be found in line [5] which just initializes "buflen" bytes
and not "buflen+1" bytes. Consider the input string is empty, therefore slen=0.
This will allocate 1 byte at line [4] because of the +1. However, [5] calls
memset with buflen=0 which leaves the 1-byte buffer uninitialized. In line [7]
strlen() can therefore access data out-of-bounds if the uninitialized byte does
not contain a null-byte. This flaw is not critical because it can just crash the
application. Nevertheless, it should be fixed.

The second problem is harder to identify. The function do_string() is used to
parse strings from ZIP archives. If the option DS_FN gets passed, the string
is written into the filename[] array from the global variable G.
The code at extract.c:5584 (in the function extract_or_test_files()) calls
for example this function with this option:

do_string(__G__ G.crec.filename_length, DS_FN)) != PK_COOL)

Inside do_string() the following code can be found (fileio.c:3225):

Ext_ASCII_TO_Native(G.filename, G.pInfo->hostnum, G.pInfo->hostver,
  G.pInfo->HasUxAtt, (option == DS_FN_L));

The "Ext_ASCII_TO_Native" is a define which redirects to charset_to_intern().
The first argument (G.filename in this case) is passed to this function
and can be accessed with the "string" argument in the above code.
At line [6] iconv() is used to convert the input string from one charset
(e.g.: CP850) to another (e.g.: UTF-8). Therefore "buf" contains the
converted string after this call. With line [8] this converted string
should be copied over the original location from the argument
(G.filename in our case).

The strncpy at [8] limits the number of written characters to buflen.
Because of [3] buflen is two times the input length and therefore a buffer
overflow can happen (the real size of the input buffer is not passed to the
function). This vulnerability was CVE-2015-1315 and an additional check was
added to prevent this buffer overflow. The additional check at [7] checks
the length of the converted string with this line:
[7]       (strlen(buf) < FILNAMSIZ))

Only if this check is passed the code at [8] gets executed:

[8]        strncpy(string, buf, buflen);

This should logically limit the number of bytes which can be written to
be smaller than FILNAMSIZ (even if the wrong, higher number, is passed
to strncpy).

For example:
G.filename is defined in globals.h:372 (inside the Uz_Globs struct):

char     filename[FILNAMSIZ];

FILNAMSIZ is defined in unzpriv.h and is equal to PATH_MAX (4096).
Therefore, filename can hold a buffer of size 4096. When the above
code gets executed and G.filename gets converted to another charset,
this code gets executed:

[6]      if ((iconv(cd, &s, &slen, &d, &dlen) != (size_t)-1) &&
[7]       (strlen(buf) < FILNAMSIZ))
      {
[8]        strncpy(string, buf, buflen);
      }

Let's assume that our input string had a length of 2940. Because of
[3] buflen will be 5880 (2*2940). That means if [8] is reached
a strncpy with a limit of 5880 gets executed, however, the destination
buffer only has a size of 4096 bytes (G.filename).
The check at [7] should protect against this because if strlen(buf) (the
source from strncpy) is bigger or equal than FILNAMSIZ (4096), the
strncpy does not get executed. And since strncpy just copies until the
first null-byte, it should just be possible to copy at maximum strlen(buf)
bytes in this strncpy.

This assumption is wrong though.
Strncpy() always writes n bytes - in the above case it will always write
5880 bytes and therefore a buffer overflow will always occur.
This behavior can be found in the manpage of strncpy:
"If the length of src is less than n, strncpy() writes additional null
bytes to dest to ensure that a total of n bytes are written."

The strncpy can therefore be used to write null-bytes out-of-bound
in the BSS or heap segment. Since the input string length is under
attacker control, the write length can be manipulated. That means
that an attacker can perform a partial overwrite to exploit this
vulnerability. For example, the attacker can overwrite data in the
Uz_Globs struct after G.filename with null-bytes. One attack target
can be heap addresses. They can be partially overwritten (lower
bytes) to change the heap address to point to an attacker
controlled heap chunk to get control over the data and therefore
also over the execution.


4) Heap out-of-bounds access in ef_scan_for_stream (CVE-2018-1000033)

The first two arguments to the function ef_scan_for_stream()
(extract.c:1167) are: ef_ptr and ef_len.
This function is for example called at: extract.c:4795

sts = ef_scan_for_stream( G.extra_field,
  (long)G.lrec.extra_field_length,
  &btmp_siz,
  &bitmap[ 0],
  &xlhdr,
  &cmnt);

The second argument (ef_len) stores the length / size of the first
argument (ef_ptr) and access checks must be performed to ensure
that no out-of-bounds access occurs.

Code line extract.c:1233 can access data out-of-bounds because length
checks are missing:

bitmap = *(ef_ptr+ (data_byte++));

Debugger output:

Program received signal SIGSEGV, Segmentation fault.
ef_scan_for_stream (...) at extract.c:1233
1233            bitmap = *(ef_ptr+ (data_byte++));
(gdb) print /x ef_ptr
$10 = 0x7ffff7ed5f3b
(gdb) print /x data_byte
$11 = 0xc6
(gdb) print /x ef_len
$12 = 0xc5



5) Multiple vulnerabilities in the LZMA compression algorithm (CVE-2018-1000034)

Invalid access attempts can occur at:
szip/LzmaDec.c:275 - IF_BIT_0(probLen)
szip/LzmaDec.c:242 - IF_BIT_0(prob)
szip/LzmaDec.c:217 - IF_BIT_0(prob)
szip/LzmaDec.c:299 - TREE_6_DECODE(prob, distance);
szip/LzmaDec.c:189 - GET_BIT2(probLit, symbol, offs &= ~bit, offs &= bit)
szip/LzmaDec.c:264 - IF_BIT_0(probLen)
szip/LzmaDec.c:201 - IF_BIT_0(prob)
szip/LzmaDec.c:213 - IF_BIT_0(prob)
szip/LzmaDec.c:290 - TREE_DECODE(probLen, limit, len);
szip/LzmaDec.c:233 - IF_BIT_0(prob)

No further analysis has been performed on the LZMA compression code.
The vendor will remove this code entirely in future releases.


Vulnerable / tested versions:
-----------------------------
Versions before and including 6.10 / 6.1c22 of InfoZip's Unzip have been found
to be vulnerable. Version 6.0 was the latest major release at the time the
security vulnerabilities were discovered. The next beta version is 6.1c22 which
has been tested as well.


Vendor contact timeline:
------------------------
2017-11-03: Vulnerability 1 identified, further internal analysis
2017-11-06: Attempt to contact the developers via bug report page
2017-11-10: Initial contact to the developer via sms@antinode.info
2017-11-10: Information from the main developer: A new beta version (6.1c22),
            which will be released soon, incorporates some security features.
            A link to the new beta version was provided.
2017-11-12: Sending encrypted advisory to sms@antinode.info
            Informed developer of the latest possible release date (2017-12-30).
2017-11-13: Developer confirms the vulnerability and notes that
            it should be easy to fix. The developer asks for a notification
            if vulnerabilities are found in version 6.1c22.
2017-11-21: Vulnerability 2-5 in UnZip 6.1c22 identified,
            the updated encrypted advisory with crash files was sent to
            the developer.
2017-11-23: Developer confirmed the e-mail containing the updated advisory.
2017-12-06: Asking the developer when an update will be available and
            to coordinate the release of the advisory together.
2017-12-11: E-mail from the developer: All vulnerabilities (except LZMA
            vulnerabilities) are fixed in version 6.1c23. A link to the new
            version was provided. The LZMA code / feature will likely be disabled
            until a better solution is available.
2017-12-13: Asking the developer for a coordinated release of the advisory.
2018-01-04: Informing the developer about the changed release date because
            of the holidays. Distribution mailing lists will be informed on
            2018-01-17, the advisory will be released about one week after that.
            Asking the developer for an InfoZip version with LZMA disabled.
2018-01-10: Informing the developer again that the current solution is to
            upgrade to version 6.10c23 which still contains the LZMA
            vulnerabilities and if a version without LZMA is available.
2018-01-17: Informing distros@vs.openwall.org about the upcoming advisory.
2018-02-01: Received CVE numbers.
2018-02-07: Publication of the advisory



Solution:
---------
Update to version 6.10c23: http://antinode.info/ftp/info-zip/unzip610c23.zip
Please note that the LZMA vulnerabilities are not yet fixed in this version.


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF R. Freingruber @2018