Networksecurity.fi Security Advisory (21-12-2005) Title: dtSearch DUNZIP32.dll Buffer Overflow Vulnerability Criticality: High (3/3) Affected software: dtSearch versions prior than 7.20 Build 7136 Author: Juha-Matti Laurio Date: 21th December, 2005 Advisory ID: Networksecurity.fi Security Advisory (21-12-2005) (#15) CVE reference: CVE-2004-1094 - From the vendor: "Instantly Search Terabytes of Text The dtSearch product line can instantly search terabytes of text across a desktop, network, Internet or Intranet site." - Description: dtSearch document search system is confirmed as affected to remote type buffer overflow vulnerability. The vulnerability is caused due to a boundary error in a 3rd-party compression library's (DUNZIP32.dll) remarkable old, vulnerable version used when handling packed .ZIP documents. InnerMedia DynaZip compression library mentioned is responsible for indexing and displaying operations. This can be exploited to cause a buffer overflow via a specially crafted zipped document. When a specially crafted .zip document containing a file with an overly long filename (a file name or files inside a ZIP) is opened, the application will crash and the attacker may be able to execute arbitrary code on user's system (see US-CERT VU#582498 reference). - Detailed description: Affected DynaZip library examined is version from December, 2002, file version 5.0.0.2. According to InnerMedia company versions 5.00.03 and prior are affected. The following remarkable old file was copied to C:\Program Files\dtSearch\bin directory during an installation process when tested: File name: dunzip32.dll Date stamp: 6th December, 2002 04:05PM File version: 5.0.0.2 Description: DynaZIP-32 Multi-Threading UnZIP DLL NOTE: Dunzip32.dll is being installed into the same directory as the application executable of dtSearch Engine if dtSearch has been installed on end-users' machines. If the situation is as described, updating of the libary on end-users' machines by applying a software update is also needed. >>From US-CERT VU#582498: "Impact: If a remote attacker can persuade a user to access a specially crafted zip file, the attacker may be able to execute arbitrary code on that user's system possibly with elevated privileges." - Affected versions: The vulnerability has been confirmed in dtSearch Desktop with Spider version 7.10 (Build 7045). Other versions may also be affected. The newest dtSearch version from 6.x product line is dtSearch 6.5 Build 6608. All earlier versions (vendor's Web pages list versions 1.x to 5.25) are probably affected as well. - OS: Microsoft Windows (Win 95/98/ME/NT/2000/XP/2003/.NET) Tests was done with Microsoft Windows XP Professional SP2 and Microsoft Windows 2000 Professional SP4 fully patched. - Solution status: Vendor has issued a patch shipped with immune library version 5.00.07. It can be obtained by downloading a patch from: http://www.dtsearch.com/download.html#upgrades - Software: dtSearch 7.x dtSearch 6.x http://www.dtsearch.com/PLF_desktop.html (Desktop with Spider) Vendor and vendor Home Page: dtSearch Corp. http://www.dtsearch.com Vendor product Web page: http://www.dtsearch.com/PLF_desktop.html (Desktop with Spider) - Solution: Apply a patch 7.20 Build 7136 (version number 7.20.7136.1): http://www.dtsearch.com/download.html#upgrades - CVE information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2004-1094 on 20th December, 2005 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org ), which standardizes names for security problems. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1094 The CVSS (Common Vulnerability Scoring System) severity level metric of issue CVE-2004-1094: 10 (High) - References: US-CERT VU#582498: "InnerMedia DynaZip library vulnerable to buffer overflow via long file names" http://www.kb.cert.org/vuls/id/582498 >>From the vulnerability note: "Users are encouraged to contact their software vendors if they suspect they are vulnerable." Upgrade information for version 6.x or earlier: http://support.dtsearch.com/faq/dts0201.htm Credit information: This vulnerability was researched by Juha-Matti Laurio, Networksecurity.fi (Finland). Timeline: 12-Oct-2005 - Vulnerability researched and confirmed 05-Nov-2005 - Vendor was contacted 05-Nov-2005 - Vendor's reply, vendor informed about upcoming, fixed version and timeline 06-Nov-2005 - Vendor issues a patch, detailed research 20-Dec-2005 - CVE information submission sent to Mitre.org 20-Dec-2005 - Mitre.org assigns CVE-2004-1094 21-Dec-2005 - Security companies and several CERT units contacted 23-Dec-2005 - Public disclosure A full version of security advisory is located at http://www.networksecurity.fi/advisories/dtsearch.html Networksecurity.fi Weblog (Finnish language): http://networksecurity.typepad.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/