Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Lhaz LHA Long Filename Buffer Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Lhaz LHA Long Filename Buffer Overflow
Date: 8 Aug 2006 13:38:35 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Lhaz LHA Long Filename Buffer Overflow
------------------------------------------------------------------------


SUMMARY

Some vulnerabilities have been found in  <http://www.chitora.jp/lhaz.html> 
Lhaz. When exploited, the vulnerabilities allow execution of arbitrary 
code when the user extracts a malicious LZH archive.

DETAILS

This advisory discloses two buffer overflow vulnerabilities in Lhaz. The 
stack-based buffer overflow vulnerabilities occur when Lhaz is extracting 
a LZH file that contains a compressed file with an overly long filename.

The first buffer overflow occurs due to Lhaz failing to validate the 
length of the filename before copying it into a 260-bytes stack buffer. 
The second overflow occurs when Lhaz is constructing an error message 
containing the overly long filename using the unsafe "sprintf()" function. 
Both buffer overflow vulnerabilities allow the saved EIP to be 
overwritten. Arbitrary code execution has been confirmed using both 
vulnerabilities.

NOTE: The first vulnerability is related to CVE-2004-0234 and 
CVE-2004-0769, which was first reported by Ulf Harnhammar and Lukasz 
Wojtow, since the LZH extraction code used in Lhaz is based on LHa for 
UNIX version 1.14d.

In order to exploit the vulnerabilities successfully, the user must be 
convinced to extract a malicious LZH file.

The buffer overflow vulnerabilities occur in a function that resembles the 
following in Lhaz.exe.

// Possible modified version of extract_one() function.

sub_41D940(arg_0, arg_4, arg_8, arg_c)
{
 DWORD var1;
 time_t utimebuf[2];
 struct stat stbuf;
 char overflowedBuffer[MAX_PATH]; // 260-bytes
 char loadStringBuf[0x20];  // 32-bytes
 char textBuffer[0x100];   // 256-bytes
 
 if(someFlag && strrstr(compressedFilename, '/'))
 {
  // Buffer Overflow when compressedFilename > 260-bytes. (including NULL)
  // 552 bytes is required to overwrite saved EIP.
 
  strcpy(overflowedBuffer, strrstr(compressedFilename, "/') + 1);
 }
 else
 {
  // Buffer Overflow when compressedFilename > 260-bytes. (including NULL)
  // 552 bytes is required to overwrite saved EIP.
  
  strcpy(overflowedBuffer, compressedFilename);
  sub_529A70(overflowedBuffer, '/');
 }
 
 ...
 ...
 ...
 ...
 ...
 if (... && calculatedFileCRC != fileCRC)
 {
  LoadStringA(hInstance, 0x2A, &stbuf, 32);
  LoadStringA(hInstance, 0x76, loadStringBuf, 32);
  
  // This code may be Lhaz specific, and is executed only when the 
compressed file can be
  // extracted, but the CRC do not match.
  // Note: The name of the compressed file must not be too long such that 
it can't be
  // created.
  
  // Buffer overflow occurs due to unsafe use of sprintf() to construct 
the
  // "File ...compressFileName.... is damaged" error message.
 
  sprintf(textBuffer, "%s %s %s", &stbuf, overflowedBuffer, 
loadStringBuf);
  MessageBox(hWnd, textBuffer, NULL, MB_OKCANCEL | MB_ICONEXCLAMATION | 
MB_APPLMODAL);
 }
   
 ...
 ...
}

Solution:
Upgrade to Lhaz version 1.32.

Disclosure Timeline:
2006-08-02 - Vulnerability Discovered.
2006-08-03 - Initial Vendor Notification.
2006-08-06 - Vendor Released Fixed Version.
2006-08-06 - Public Release.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:chewkeong@vuln.sg> Tan Chew 
Keong.
The original article can be found at:  <http://vuln.sg/lhaz131-en.html> 
http://vuln.sg/lhaz131-en.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Lhaz LHA Long Filename Buffer Overflow, SecuriTeam <=
Previous by Date:  [UNIX] Virtual War File Inclusion (vwar_root), SecuriTeam
Next by Date:  [NT] CA eTrust AntiVirus WebScan Manifest Processing Buffer Overflow (Technical Details), SecuriTeam
Previous by Thread:  [UNIX] Virtual War File Inclusion (vwar_root), SecuriTeam
Next by Thread:  [NT] CA eTrust AntiVirus WebScan Manifest Processing Buffer Overflow (Technical Details), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]