fuzzezip

##############################################################################

                     - RealPentesting Advisory -

###############################################################################

  Title: SEH BUFFER OVERFLOW IN FUZEZIP V.1.0
  Severity: High
  History: 16.Apr.2013 Vulnerability reported
  Authors: Josep Pi Rodriguez, Pedro Guillen Nuñez , Miguel Angel de Castro Simon
  Organization: RealPentesting
  URL: http://www.realpentesting.blogspot.com
  Product: FuzeZip
  Version: 1.0.0.131625
  Vendor: Koyote-Lab Inc
  Url Vendor: http://fuzezip.com/
  Platform: Windows
  Type of vulnerability: SEH buffer overflow
  Issue fixed in version: (Not fixed)
  CVE identifier: CVE-2013-5656

[ DESCRIPTION SOFTWARE ]

From vendor website:
FuzeZip is a sophisticated, yet easy to use, free compression tool that is based on 7-Zip technology.
FuzeZip's software has a powerful compression engine that enables fast zipping and unzipping of Zip archives, as well as creating Zip-compatible files.
FuzeZip has a user-friendly interface that makes creating, opening, extracting and saving compressed files very easy to do.

[ VULNERABILITY DETAILS ]

FuzeZip suffers from a SEH based overflow and stack based overflow which is protected by stack cookies.
Above you can see the debugged process after the seh overflow:

Registers
---------
eax=00000041 ebx=00000000 ecx=00130000 edx=048d6798 esi=0012e434 edi=00000008
eip=004e8bf3 esp=0012dd10 ebp=0012dd48 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 efl=00010206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for fuzeZip.exe -
fuzeZip!boost::archive::detail::iserializer<boost::archive::xml_wiarchive,std::list<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > >::load_object_data+0x41113:
004e8bf3 668901          mov     word ptr [ecx],ax ds:0023:00130000=6341
Seh chain
----------
0012de34: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012dfbc: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012e100: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012e2ac: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012ec1c: fuzeZip+10041 (00410041)
Invalid exception stack at 00410041

By opening a specially crafted zip file, it is possible to execute arbitrary code.We can sucesfully exploit the vulnerability in order to gain code execution and
bypassing SAFESEH.

[ VENDOR COMMUNICATION ]

16/04/2013 : vendor contacted
17/04/2013: automatic response from vendor but no reponse after
17/04/2013: vendor contacted again but no response
29/04/2013.- PUBLIC DISCLOSURE

No hay comentarios:

Publicar un comentario