##############################################################################
- RealPentesting Advisory -
###############################################################################
Title: SEH BUFFER OVERFLOW IN FUZEZIP V.1.0
Severity: High
History: 16.Apr.2013 Vulnerability reported
Authors: Josep Pi Rodriguez, Pedro Guillen Nu?ez , Miguel Angel de Castro Simon
Organization: RealPentesting
URL: http://www.realpentesting.blogspot.com
Product: FuzeZip
Version: 1.0.0.131625
Vendor: Koyote-Lab Inc
Url Vendor: http://fuzezip.com/
Platform: Windows
Type of vulnerability: SEH buffer overflow
Issue fixed in version: (Not fixed)
CVE identifier: CVE-2013-5656
[ DESCRIPTION SOFTWARE ]
From vendor website:
FuzeZip is a sophisticated, yet easy to use, free compression tool that is based on 7-Zip technology.
FuzeZip's software has a powerful compression engine that enables fast zipping and unzipping of Zip archives, as well as creating Zip-compatible files.
FuzeZip has a user-friendly interface that makes creating, opening, extracting and saving compressed files very easy to do.
[ VULNERABILITY DETAILS ]
FuzeZip suffers from a SEH based overflow and stack based overflow which is protected by stack cookies.
Above you can see the debugged process after the seh overflow:
Registers
---------
eax=00000041 ebx=00000000 ecx=00130000 edx=048d6798 esi=0012e434 edi=00000008
eip=004e8bf3 esp=0012dd10 ebp=0012dd48 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for fuzeZip.exe -
fuzeZip!boost::archive::detail::iserializer<boost::archive::xml_wiarchive,std::list<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > >::load_object_data+0x41113:
004e8bf3 668901 mov word ptr [ecx],ax ds:0023:00130000=6341
Seh chain
----------
0012de34: USER32!_except_handler3+0 (7e44048f)
CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012dfbc: USER32!_except_handler3+0 (7e44048f)
CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012e100: USER32!_except_handler3+0 (7e44048f)
CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012e2ac: USER32!_except_handler3+0 (7e44048f)
CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012ec1c: fuzeZip+10041 (00410041)
Invalid exception stack at 00410041
By opening a specially crafted zip file, it is possible to execute arbitrary code.We can sucesfully exploit the vulnerability in order to gain code execution and
bypassing SAFESEH.
[ VENDOR COMMUNICATION ]
16/04/2013 : vendor contacted
17/04/2013: automatic response from vendor but no reponse after
17/04/2013: vendor contacted again but no response
29/04/2013.- PUBLIC DISCLOSURE