exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Dec 28, 2005
Authored by Juha-Matti Laurio | Site networksecurity.fi

Networksecurity.fi Security Advisory (21-12-2005) - dtSearch versions prior than 7.20 Build 7136 uses an old version of the unzip library leaving it vulnerable to a buffer overflow.

tags | advisory, overflow
SHA-256 | 51fe330f144ef9e411e758192529c4211a81e18becbbabd007c96b44b0cad5a7


Change Mirror Download
Networksecurity.fi Security Advisory (21-12-2005)

Title: dtSearch DUNZIP32.dll Buffer Overflow Vulnerability
Criticality: High (3/3)
Affected software: dtSearch versions prior than 7.20 Build 7136
Author: Juha-Matti Laurio
Date: 21th December, 2005
Advisory ID: Networksecurity.fi Security Advisory (21-12-2005) (#15)
CVE reference: CVE-2004-1094

- From the vendor:
"Instantly Search Terabytes of Text
The dtSearch product line can instantly search terabytes of text across
a desktop, network, Internet or Intranet site."

- Description:
dtSearch document search system is confirmed as affected to remote type
buffer overflow vulnerability.
The vulnerability is caused due to a boundary error in a 3rd-party
compression library's (DUNZIP32.dll) remarkable old, vulnerable version
used when handling packed .ZIP documents. InnerMedia DynaZip compression
library mentioned is responsible for indexing and displaying operations.
This can be exploited to cause a buffer overflow via a specially crafted
zipped document. When a specially crafted .zip document containing a
file with an overly long filename (a file name or files inside a ZIP) is
opened, the application will crash and the attacker may be able to
execute arbitrary code on user's system (see US-CERT VU#582498

- Detailed description:
Affected DynaZip library examined is version from December, 2002, file
version According to InnerMedia company versions 5.00.03 and
prior are affected.
The following remarkable old file was copied to C:\Program
Files\dtSearch\bin directory during an installation process when tested:
File name: dunzip32.dll
Date stamp: 6th December, 2002 04:05PM
File version:
Description: DynaZIP-32 Multi-Threading UnZIP DLL

NOTE: Dunzip32.dll is being installed into the same directory as the
application executable of dtSearch Engine if dtSearch has been installed
on end-users' machines. If the situation is as described, updating of
the libary on end-users' machines by applying a software update is also

>>From US-CERT VU#582498:
If a remote attacker can persuade a user to access a specially crafted
zip file, the attacker may be able to execute arbitrary code on that
user's system possibly with elevated privileges."

- Affected versions:
The vulnerability has been confirmed in dtSearch Desktop with Spider
version 7.10 (Build 7045). Other versions may also be affected.
The newest dtSearch version from 6.x product line is dtSearch 6.5 Build 6608.
All earlier versions (vendor's Web pages list versions 1.x to 5.25) are
probably affected as well.

- OS:
Microsoft Windows (Win 95/98/ME/NT/2000/XP/2003/.NET)
Tests was done with Microsoft Windows XP Professional SP2 and Microsoft
Windows 2000 Professional SP4 fully patched.

- Solution status:
Vendor has issued a patch shipped with immune library version 5.00.07.
It can be obtained by downloading a patch from:

- Software:
dtSearch 7.x
dtSearch 6.x
http://www.dtsearch.com/PLF_desktop.html (Desktop with Spider)

Vendor and vendor Home Page:
dtSearch Corp.

Vendor product Web page:
http://www.dtsearch.com/PLF_desktop.html (Desktop with Spider)

- Solution:
Apply a patch 7.20 Build 7136 (version number 7.20.7136.1):

- CVE information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2004-1094 on 20th December, 2005 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org ), which
standardizes names for security problems.
The CVSS (Common Vulnerability Scoring System) severity level metric of
issue CVE-2004-1094: 10 (High)

- References:
US-CERT VU#582498:
"InnerMedia DynaZip library vulnerable to buffer overflow via long file names"
>>From the vulnerability note:
"Users are encouraged to contact their software vendors if they suspect
they are vulnerable."
Upgrade information for version 6.x or earlier:

Credit information:
This vulnerability was researched by Juha-Matti Laurio,
Networksecurity.fi (Finland).

12-Oct-2005 - Vulnerability researched and confirmed
05-Nov-2005 - Vendor was contacted
05-Nov-2005 - Vendor's reply, vendor informed about upcoming, fixed
version and timeline
06-Nov-2005 - Vendor issues a patch, detailed research
20-Dec-2005 - CVE information submission sent to Mitre.org
20-Dec-2005 - Mitre.org assigns CVE-2004-1094
21-Dec-2005 - Security companies and several CERT units contacted
23-Dec-2005 - Public disclosure

A full version of security advisory is located at

Networksecurity.fi Weblog (Finnish language):

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By