|------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security@corelan.be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-029 Disclosure date : Apr 21 2010 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-029 00 : Vulnerability information Product : ZipGenius Version : 6.3.1.2552 Vendor : ZipGenius URL : http://www.zipgenius.com/ URL2 : http://www.softpedia.com/get/Compression-tools/ZipGenius.shtmlPlatform : Windows Type of vulnerability : zgtips.dll stack buffer overflow Risk rating : Medium Issue fixed in version : Vulnerability discovered by : Rick2600 Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/ 01 : Vendor description of software >From the vendor website: "ZipGenius: the free and powerful archive manager for Windows. ZipGenius can handle more than 20 compressed archive types, so it is a perfet companion for your work and daily activities; but ZipGenius doesn't handle compressed archives, only: it is flexible and expandable so it could almost everything you want from it." 02 : Vulnerability details The flaw resides in zgtips.dll, a DLL shipped with zipgenius. This dll allows for shell integration and will display the contents of a zip file when you hover the mouse over the archive file. Aparently this doesn't deal well with a specially crafted zip file containing a overly long filename, resulting in a stack buffer overflow. It causes the exception handler to be overwritten, and then triggers an exception, allowing execution of arbitrary code. In order to trigger the vulnerability the user must run zipgenius.exe, click "open", position/hover the mouse pointer over the crafted zip file (don't select it) and just wait. zgtips!DllUnregisterServer+0x599c2: 032b3c96 8b4014 mov eax,dword ptr [eax+14h] ds:0023:41414155=???????? 0:005> !exchain 0303e94c: zgtips!DllUnregisterServer+5a142 (032b4416) 0303e958: zgtips!DllUnregisterServer+5a19b (032b446f) 0303f950: 41414141 Invalid exception stack at 41414141 03 : Vendor communication 24th Mar, 2010 : Vendor contacted 25th Mar, 2010 : Vendor asked us to test latest version (build 2552) 25th Mar, 2010 : Vendor was informed about the vulnerability in the latest version 28th Mar, 2010 : Vendor confirmed the vulnerability 16th Apr, 2010 : Vendor posted a note about the problem on http://feeds.feedburner.com/zipgeniusnews 21st Apr, 2010 : Coordinated Disclosure ZipGenius' note about the vulnerability : Some week ago we were contacted by Peter Van Eeckhoutte (Corelan Security) in order to report a flaw that causes many zip utilities to crash and open a door to malicious code. The event is triggered by a specially crafted zip file which has a very very long filename stored in its central directory, and when I talk about a "very very long" filename, I mean a full path+filename info which is longer than the system MAX_PATH constant (255 characters). Many competitors didn't handle correctly this event and allowed the execution of a malicious code (in Corelan proof of concept, the code shows just a message). We tested ZipGenius latest build without checking the source code and found that... ZipGenius is SAFE! Our beloved software already handles this event since 2002: the problem popped out just some week after Windows XP release in 2001 and we put a code that checks filename length while reading the archive; if ZipGenius finds a very very long filename, it disables almost every feature and you can just close the archive and go on. Well, Corelan admits that ZipGenius main executable is safe but the problem still lives in a DLL that ships with ZipGenius: zgtips.dll. Peter is right and we worked together to fix the flaw, but this event mad a new problem to pop out... The zgtips.dll shell extension causes Windows Vista and 7 Explorer to crash. It's really a weird behaviour: we modified a lot of code in that dll and we also tried to rebuild it from the ground, but it still shows the "infotip" on ZIP archives and, after about a minute, Explorer crashes. On the contrary, in Windows XP this doesn't happen and the shell extension works as designed. This behavour is leading us to take an hard decision: in next ZipGenius build, zgtips.dll likely will be installed in Windows XP, 2000 and Server 2003/2008, while it won't in Windows Vista and 7. We are thinking that it is something related to the Aero interface of Vista/7 and we are still trying to uinderstand what is going on. This also leads us to reconsider the decision to build an InfoTip shell extension for x64 systems. Corelan remarks : 1. Our PoC code contained MessageBox shellcode. So the statement that "the code shows just a message" actually means that "arbitrary code was executed" :-) 2. Corelan Security Team would like to thank the author of this application for communicating and working with us. 04 : Workaround The only way to prevent this vulnerability is by un-registering the vulnerable dll : regsvr32 "C:\Program Files\ZipGenius 6\zgtips.dll" /U 05 : Exploit/PoC http://www.corelan.be:8800/advisories.php?id=CORELAN-10-029 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/