FuzeZip 1.0 SEH Buffer Overflow

2013.09.03
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

############################################################################## - RealPentesting Advisory - ############################################################################### Title: SEH BUFFER OVERFLOW IN FUZEZIP V.1.0 Severity: High History: 16.Apr.2013 Vulnerability reported Authors: Josep Pi Rodriguez, Pedro Guillen Nu?ez , Miguel Angel de Castro Simon Organization: RealPentesting URL: http://www.realpentesting.blogspot.com Product: FuzeZip Version: 1.0.0.131625 Vendor: Koyote-Lab Inc Url Vendor: http://fuzezip.com/ Platform: Windows Type of vulnerability: SEH buffer overflow Issue fixed in version: (Not fixed) CVE identifier: CVE-2013-5656 [ DESCRIPTION SOFTWARE ] From vendor website: FuzeZip is a sophisticated, yet easy to use, free compression tool that is based on 7-Zip technology. FuzeZip's software has a powerful compression engine that enables fast zipping and unzipping of Zip archives, as well as creating Zip-compatible files. FuzeZip has a user-friendly interface that makes creating, opening, extracting and saving compressed files very easy to do. [ VULNERABILITY DETAILS ] FuzeZip suffers from a SEH based overflow and stack based overflow which is protected by stack cookies. Above you can see the debugged process after the seh overflow: Registers --------- eax=00000041 ebx=00000000 ecx=00130000 edx=048d6798 esi=0012e434 edi=00000008 eip=004e8bf3 esp=0012dd10 ebp=0012dd48 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for fuzeZip.exe - fuzeZip!boost::archive::detail::iserializer<boost::archive::xml_wiarchive,std::list<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > >::load_object_data+0x41113: 004e8bf3 668901 mov word ptr [ecx],ax ds:0023:00130000=6341 Seh chain ---------- 0012de34: USER32!_except_handler3+0 (7e44048f) CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b) 0012dfbc: USER32!_except_handler3+0 (7e44048f) CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b) 0012e100: USER32!_except_handler3+0 (7e44048f) CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b) 0012e2ac: USER32!_except_handler3+0 (7e44048f) CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b) 0012ec1c: fuzeZip+10041 (00410041) Invalid exception stack at 00410041 By opening a specially crafted zip file, it is possible to execute arbitrary code.We can sucesfully exploit the vulnerability in order to gain code execution and bypassing SAFESEH. [ VENDOR COMMUNICATION ] 16/04/2013 : vendor contacted 17/04/2013: automatic response from vendor but no reponse after 17/04/2013: vendor contacted again but no response 29/04/2013.- PUBLIC DISCLOSURE

References:

http://www.realpentesting.blogspot.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top