zooExec.txt

zooExec.txt: Posted Feb 26, 2006; Authored by Jean-Sebastien Guay-Leroux | Site guay-leroux.com; When feeding zoo a specially crafted archive, an attacker may be able to trigger a stack overflow and seize control of the program.; tags | advisory, overflow; SHA-256 | 9422982e39289d304e78eb097b387485df9810f1e7aa80c2b08a8bf23dce1d39; Download | Favorite | View

zooExec.txt

Topic: zoo contains exploitable buffer overflows


Announced:      2006-02-22
Product:        zoo
Category:       Applications/Archiving
Impact:         Remote code execution
Credits:        Jean-Sébastien Guay-Leroux


I.      BACKGROUND

zoo is a file archiving utility for maintaining collections of files.
It uses Lempel-Ziv compression to provide space savings in the
range of 20 to 80 percent depending on the type of data. Written by
Rahul Dhesi, and posted to the USENET newsgroup comp.sources.misc.


II.     PROBLEM DESCRIPTION

When feeding zoo a specially crafted archive, an attacker may be able
to trigger a stack overflow and seize control of the program.

fullpath()/misc.c accepts a pointer to a directory entry and returns the
combined directory name and filename.  fullpath() calls the function
combine()/misc.c, and assume that the length of the string returned is never
longer than 256 bytes.  In fact, the string returned can be made a little
longer than 512 bytes.

If the string is in fact longer than 256 bytes, a static variable can be
overflowed in the function fullpath()/misc.c .  This string is later used
in a strcpy() on a destination buffer of 256 bytes on the stack.

It is then easy to overwrite EIP and take control of the program.


III.    PATCH

diff -u -r -r zoo-2.10.old/misc.c zoo-2.10.orig/misc.c
--- zoo-2.10.old/misc.c 1991-07-05 12:00:00.000000000 -0400
+++ zoo-2.10.orig/misc.c        2006-01-29 17:20:35.000000000 -0500
@@ -135,11 +135,16 @@
 char *fullpath (direntry)
 struct direntry *direntry;
 {
-       static char result[PATHSIZE];
+       static char result[PATHSIZE+PATHSIZE+12]; // Room for enough space
        combine (result,
                                direntry->dirlen != 0 ? 
direntry->dirname : "",
                                (direntry->namlen != 0) ? direntry->lfname :
                                direntry->fname
                          );
+
+       if (strlen (result) >= PATHSIZE) {
+               prterror ('f', "Combined dirname and filename too long\n");
+       }
+
        return (result);
 }


IV.     CREDITS

Bug found by Jean-Sébastien Guay-Leroux

To contact me, visit http://www.guay-leroux.com/

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

zooExec.txt

zooExec.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

zooExec.txt

Share This

zooExec.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems