exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

HexView Security Advisory 2004-11-03.1

HexView Security Advisory 2004-11-03.1
Posted Nov 5, 2004
Authored by HexView | Site hexview.com

Zip console application by Info-Zip is susceptible to a buffer overflow condition that can be triggered and exploited during a recursive compression operation.

tags | advisory, overflow
SHA-256 | 274803fde916bd9e952281ab6546188a8fdc6b1c96a71fcd827aee6005de24b5

HexView Security Advisory 2004-11-03.1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Zip/Linux long path buffer overflow

Classification:
===============
Level: low-[MED]-high-crit
ID: HEXVIEW*2004*11*03*1
URL: http://www.hexview.com/docs/20041103-1.txt

Overview:
=========
Zip console application by Info-Zip (http://www.info-zip.org) is an
open-source software and part of many Linux distributions.
A buffer overflow condition can be triggered and exploited during
recursive compression operation.

Affected products:
==================
HexView tested the issue using Zip 2.3 which comes as "zip" package
with Debian Linux. Possibly all earlier Info-Zip versions are vulnerable.
Info-Zip applications for other operating systems are also vulnerable,
but depending on operating system and file system restrictions, the
vulnerability may or may not be triggered or exploited.

Cause and Effect:
=================
When zip performs recursive folder compression, it does not check
for the length of resulting path. If the path is too long, a buffer
overflow occurs leading to stack corruption and segmentation fault.
It is possible to exploit this vulnerability by embedding a shellcode
in directory or file name. While the issue is not of primary concern
for regular users, it can be critical for environments where zip archives
are re-compressed automatically using Info-Zip application.

Demonstration:
==============
The issue can be reproduced by following these steps:
1. Create an 8-level directory structure, where each directory name is
256 characters long (we used 256 'a' characters).
2. run "zip -r file.zip *". The application will crash with
"segmentation fault"
3. run "gdb -core core `which zip`" (assuming core drop is enabled)
4. type "where" and hit Enter. Here is what you'll see:

Program terminated with signal 11, Segmentation fault.
[garbage truncated]
#0 0x0805108e in error ()
#1 0x61616161 in ?? ()
#2 0x61616161 in ?? ()
#3 0x61616161 in ?? ()


Vendor Status:
==============
HexView tried to notify vendor using vendor-provided e-mail address
(zip-bugs@lists.wku.edu) on 2004-10-03. The mail was returned back
as undeliverable.

About HexView:
==============
HexView contributes to online security-related lists for almost a
decade. The scope of our expertize spreads over Windows, Linux, Sun,
MacOS platforms, network applications, and embedded devices. The chances
are you read our advisories or disclosures. For more information visit
http://www.hexview.com

Distribution:
=============
This document may be freely distributed through any channels as long as
the contents are kept unmodified. Commercial use of the information in
the document is not allowed without written permission from HexView
signed by our pgp key.

HexView Disclosure Policy:
==========================
HexView notifies vendors that have publicly available contact e-mail 24
hours before disclosing any information to the public. If we are unable
to find vendor's e-mail address or if no reply is received within 24
hours, HexView will publish vulnerability notification including all
technical details unless the issue is rated as "critical". If vendor
does not reply within 72 hours, HexView may disclose all details for
critical vulnerabilities as well.

If vendor replies within the above mentioned time period, HexView will
announce the vulnerability, but will not disclose the details required
to reproduce it. HexView will also specify the date when full disclosure
containing all the details will be published. The time period between
announcement and full disclosure is 30 days unless there is an agreement
with vendor and appropriate justification for extension. If vendor
resolves the issue earlier than 30 days after announcement, HexView will
publish full disclosure as soon as the fix is available to the public.

HexView also reserves the right to publish any detail of any
vulnerability at any time.

Feedback and comments:
======================
Feedback and questions about this disclosure are welcome at
vtalk@hexview.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBiWR3DPV1+KQrDqQRAoGdAJ9ii5vJ+jCyT3le7mko6dHXxJ1H4wCgsfDq
SYo6Nb0wIbEm5HAxMRRFtxg=
=7Jjm
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close