|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@corelan.be |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory : CORELAN-10-029
Disclosure date : Apr 21 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-029
 
00 : Vulnerability information

 Product : ZipGenius
 Version : 6.3.1.2552
 Vendor : ZipGenius
 URL  : http://www.zipgenius.com/
 URL2 : http://www.softpedia.com/get/Compression-tools/ZipGenius.shtmlPlatform : Windows
 Type of vulnerability : zgtips.dll stack buffer overflow
 Risk rating : Medium
 Issue fixed in version : <not fixed, workaround proposed by vendor>
 Vulnerability discovered by : Rick2600
 Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/
 

 
01 : Vendor description of software
 
>From the vendor website:
"ZipGenius: the free and powerful archive manager for Windows.
ZipGenius can handle more than 20 compressed archive types,
so it is a perfet companion for your work and daily activities;
but ZipGenius doesn't handle compressed archives, only:
it is flexible and expandable so it could almost everything you want from it."
 
 
02 : Vulnerability details
 
The flaw resides in zgtips.dll, a DLL shipped with zipgenius.
This dll allows for shell integration and will display the contents of a zip file
when you hover the mouse over the archive file.
Aparently this doesn't deal well with a specially crafted zip file containing a
overly long filename, resulting in a stack buffer overflow.
It causes the exception handler to be overwritten, and then triggers an exception,
allowing execution of arbitrary code.
 
In order to trigger the vulnerability the user must run zipgenius.exe, click "open",
position/hover the mouse pointer over the crafted zip file (don't select it) and just wait.
 

zgtips!DllUnregisterServer+0x599c2:
032b3c96 8b4014 mov eax,dword ptr [eax+14h] ds:0023:41414155=????????
 
0:005> !exchain
0303e94c: zgtips!DllUnregisterServer+5a142 (032b4416)
0303e958: zgtips!DllUnregisterServer+5a19b (032b446f)
0303f950: 41414141
Invalid exception stack at 41414141
 
 
 
 
03 : Vendor communication
 
24th Mar, 2010 : Vendor contacted
25th Mar, 2010 : Vendor asked us to test latest version (build 2552)
25th Mar, 2010 : Vendor was informed about the vulnerability in the latest version
28th Mar, 2010 : Vendor confirmed the vulnerability
16th Apr, 2010 : Vendor posted a note about the problem on http://feeds.feedburner.com/zipgeniusnews
21st Apr, 2010 : Coordinated Disclosure
 
ZipGenius' note about the vulnerability :
 
Some week ago we were contacted by Peter Van Eeckhoutte (Corelan Security) in order to
report a flaw that causes many zip utilities to crash and open a door to malicious code.
The event is triggered by a specially crafted zip file which has a very very long
filename stored in its central directory, and when I talk about a "very very long"
filename, I mean a full path+filename info which is longer than the
system MAX_PATH constant (255 characters).
 
Many competitors didn't handle correctly this event and allowed the execution of a
malicious code (in Corelan proof of concept, the code shows just a message).
We tested ZipGenius latest build without checking the source code and found that...
ZipGenius is SAFE!
 
Our beloved software already handles this event since 2002:
the problem popped out just some week after Windows XP release in 2001
and we put a code that checks filename length while reading the archive;
if ZipGenius finds a very very long filename, it disables almost every
feature and you can just close the archive and go on.
Well, Corelan admits that ZipGenius main executable is safe but the problem
still lives in a DLL that ships with ZipGenius: zgtips.dll.
Peter is right and we worked together to fix the flaw,
but this event mad a new problem to pop out...
The zgtips.dll shell extension causes Windows Vista and 7 Explorer to crash.
It's really a weird behaviour: we modified a lot of code in that dll and we
also tried to rebuild it from the ground, but it still shows the "infotip"
on ZIP archives and, after about a minute, Explorer crashes.
On the contrary, in Windows XP this doesn't happen and the shell extension works as designed.
This behavour is leading us to take an hard decision: in next ZipGenius build,
zgtips.dll likely will be installed in Windows XP, 2000 and Server 2003/2008,
while it won't in Windows Vista and 7.
We are thinking that it is something related to the Aero interface of Vista/7
and we are still trying to uinderstand what is going on.
This also leads us to reconsider the decision to build an InfoTip
shell extension for x64 systems.
 
 
 
Corelan remarks :
1. Our PoC code contained MessageBox shellcode. So the statement that "the code shows just a message"
actually means that "arbitrary code was executed" :-)
2. Corelan Security Team would like to thank the author of this application for communicating and working with us.
 
 
04 : Workaround
 
The only way to prevent this vulnerability is by un-registering the vulnerable dll :
 
 
regsvr32 "C:\Program Files\ZipGenius 6\zgtips.dll" /U
 
  
05 : Exploit/PoC
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-029