Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] DynaZip DZIP32.DLL/DZIPS32.DLL Buffer Overflow Vulnerabilities

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] DynaZip DZIP32.DLL/DZIPS32.DLL Buffer Overflow Vulnerabilities
Date: 26 Jul 2006 15:12:51 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  DynaZip DZIP32.DLL/DZIPS32.DLL Buffer Overflow Vulnerabilities
------------------------------------------------------------------------


SUMMARY

 <http://www.innermedia.com/> DynaZip is "a Zip and UnZip Data Compression 
toolkits for Windows Developers". Some vulnerabilities have been found in 
DynaZip DZIP32.DLL/DZIPS32.DLL. When exploited, the vulnerabilities allow 
execution of arbitrary code when the user fixes (repairs) a malicious ZIP 
archive, or add/update/freshen files in a malicious ZIP archive.

DETAILS

Vulnerable Systems:
 * DynaZip Max (Evaluation Version) with DZIP32.DLL version 5.0.0.7
 * DynaZip Max Secure (Evaluation Version) with DZIPS32.DLL version 
6.0.0.4

Patch / Workaround:
Update to DZIP32.DLL version 5.0.0.8 or DZIPS32.DLL version 6.0.0.5.

Details:
This advisory discloses some buffer overflow vulnerabilities in DynaZip 
DZIP32.DLL/DZIPS32.DLL. The stack-based buffer overflows occur when 
DZIP32.DLL/DZIPS32.DLL is attempting to fix (repair) a ZIP archive that 
contains a file with an overly long filename, or when attempting to 
add/update/freshen files in a malicious ZIP archive. It is possible to 
exploit the buffer overflows to execute arbitrary code.

In order to exploit this vulnerability successfully, the user must be 
convinced to:

    * Fix (Repair) a malicious ZIP file, or,
    * Add, Update or Freshen a file to a malicious ZIP file.

The buffer overflows occur in DZIP32.DLL version 5.0.0.7 that is 
distributed with DynaZip Max, and also exist in DZIPS32.DLL version 
6.0.0.4 that is distributed with DynaZip Max Secure.

The buffer overflows occur in functions that resemble the following in 
DZIP32.DLL/DZIPS32.DLL.

Buffer Overflow 1:

This function is called when the user "Fix" (Repair) an archive or "Add" 
files to an archive.

func_20011D10(arg_0, arg_4, arg_8)
{
 DWORD var1;
 DWORD var2;
 DWORD var3;
 DWORD bytesToWrite;
 DWORD bytesWritten;
 char buffer[0x800];  // 2048 bytes
 
 ...
 var1 = 0;
 var2 = 0;
 var3 = 0;
 ...
 ...
 // Both cases will cause buffer overflow in "buffer"
 // when filename of compressed file is > 2048 bytes
 
 if(arg_8->someFlag == 0)
  CharToOemA(arg_0->NameOfCompressedFile, buffer);
 else
  lstrcpyA(buffer, arg_0->NameOfCompressedFile);
 ...
 ...
 ...
}

Buffer Overflow 2:

This function in DZIP32.DLL will be called using the filename of the 
compressed files in a ZIP archive when DZIP32.DLL is used to "Update" or 
"Freshen" files in the archive. i.e. The filename argument contains the 
filename of the compressed files in the ZIP archive.

 
func_2000C840(char *filename, arg_4, arg_8, arg_c)
{
 DWORD unknown_var;
 WORD fatTime;
 WORD fatDate;
 FILETIME localFileTime;
 LPWIN32_FIND_DATA findFileData;
 char buffer[0x800]    // 2048 bytes
 
 if(filename != NULL)
 {
  if(filename != arg_c->someVar)
  {
   strlen(filename);
   if(filename != arg_c->someVar2)
   {
    // Buffer overflow in "buffer" when filename of
    // compressed file is > 2048 bytes
        
    lstrcpyA(buffer, filename);
    ...
    ...
    ...
    ...
   }
  }
 }
 
}

Disclosure Timeline:
2006-07-04 - Vulnerability Discovered.
2006-07-12 - Initial Vendor Notification.
2006-07-12 - Initial Vendor Reply.
2006-07-23 - Fixed Versions Released.
2006-07-25 - Public Release.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:chewkeong@vuln.sg> Tan Chew 
Keong.
The original article can be found at:  
<http://vuln.sg/dynazip5007-en.html> http://vuln.sg/dynazip5007-en.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] DynaZip DZIP32.DLL/DZIPS32.DLL Buffer Overflow Vulnerabilities, SecuriTeam <=
Previous by Date:  [NT] Password Safe - Lock Password Database Configuration Not Enforced, SecuriTeam
Next by Date:  [NT] TurboZIP ZIP Repair Buffer Overflow, SecuriTeam
Previous by Thread:  [NT] Password Safe - Lock Password Database Configuration Not Enforced, SecuriTeam
Next by Thread:  [NT] TurboZIP ZIP Repair Buffer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]