############################################################################## - RealPentesting Advisory - ############################################################################### Title: SEH BUFFER OVERFLOW IN FUZEZIP V.1.0 Severity: High History: 16.Apr.2013 Vulnerability reported Authors: Josep Pi Rodriguez, Pedro Guillen Nuñez , Miguel Angel de Castro Simon Organization: RealPentesting URL: http://www.realpentesting.blogspot.com Product: FuzeZip Version: 1.0.0.131625 Vendor: Koyote-Lab Inc Url Vendor: http://fuzezip.com/ Platform: Windows Type of vulnerability: SEH buffer overflow Issue fixed in version: (Not fixed) CVE identifier: CVE-2013-5656 [ DESCRIPTION SOFTWARE ] From vendor website: FuzeZip is a sophisticated, yet easy to use, free compression tool that is based on 7-Zip technology. FuzeZip's software has a powerful compression engine that enables fast zipping and unzipping of Zip archives, as well as creating Zip-compatible files. FuzeZip has a user-friendly interface that makes creating, opening, extracting and saving compressed files very easy to do. [ VULNERABILITY DETAILS ] FuzeZip suffers from a SEH based overflow and stack based overflow which is protected by stack cookies. Above you can see the debugged process after the seh overflow: Registers --------- eax=00000041 ebx=00000000 ecx=00130000 edx=048d6798 esi=0012e434 edi=00000008 eip=004e8bf3 esp=0012dd10 ebp=0012dd48 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for fuzeZip.exe - fuzeZip!boost::archive::detail::iserializer,std::allocator >,std::allocator,std::allocator > > > >::load_object_data+0x41113: 004e8bf3 668901 mov word ptr [ecx],ax ds:0023:00130000=6341 Seh chain ---------- 0012de34: USER32!_except_handler3+0 (7e44048f) CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b) 0012dfbc: USER32!_except_handler3+0 (7e44048f) CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b) 0012e100: USER32!_except_handler3+0 (7e44048f) CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b) 0012e2ac: USER32!_except_handler3+0 (7e44048f) CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b) 0012ec1c: fuzeZip+10041 (00410041) Invalid exception stack at 00410041 By opening a specially crafted zip file, it is possible to execute arbitrary code.We can sucesfully exploit the vulnerability in order to gain code execution and bypassing SAFESEH. [ VENDOR COMMUNICATION ] 16/04/2013 : vendor contacted 17/04/2013: automatic response from vendor but no reponse after 17/04/2013: vendor contacted again but no response 29/04/2013.- PUBLIC DISCLOSURE