fuzzezip

##############################################################################

                     - RealPentesting Advisory -

###############################################################################

  Title: SEH BUFFER OVERFLOW IN FUZEZIP V.1.0
  Severity: High
  History: 16.Apr.2013 Vulnerability reported
  Authors: Josep Pi Rodriguez, Pedro Guillen Nuñez , Miguel Angel de Castro Simon
  Organization: RealPentesting
  URL: http://www.realpentesting.blogspot.com
  Product: FuzeZip
  Version: 1.0.0.131625
  Vendor: Koyote-Lab Inc
  Url Vendor: http://fuzezip.com/
  Platform: Windows
  Type of vulnerability: SEH buffer overflow
  Issue fixed in version: (Not fixed)
  CVE identifier: CVE-2013-5656

[ DESCRIPTION SOFTWARE ]

From vendor website:
FuzeZip is a sophisticated, yet easy to use, free compression tool that is based on 7-Zip technology.
FuzeZip's software has a powerful compression engine that enables fast zipping and unzipping of Zip archives, as well as creating Zip-compatible files.
FuzeZip has a user-friendly interface that makes creating, opening, extracting and saving compressed files very easy to do.

[ VULNERABILITY DETAILS ]

FuzeZip suffers from a SEH based overflow and stack based overflow which is protected by stack cookies.
Above you can see the debugged process after the seh overflow:

Registers
---------
eax=00000041 ebx=00000000 ecx=00130000 edx=048d6798 esi=0012e434 edi=00000008
eip=004e8bf3 esp=0012dd10 ebp=0012dd48 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 efl=00010206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for fuzeZip.exe -
fuzeZip!boost::archive::detail::iserializer<boost::archive::xml_wiarchive,std::list<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > >::load_object_data+0x41113:
004e8bf3 668901          mov     word ptr [ecx],ax ds:0023:00130000=6341
Seh chain
----------
0012de34: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012dfbc: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012e100: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012e2ac: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012ec1c: fuzeZip+10041 (00410041)
Invalid exception stack at 00410041

By opening a specially crafted zip file, it is possible to execute arbitrary code.We can sucesfully exploit the vulnerability in order to gain code execution and
bypassing SAFESEH.

[ VENDOR COMMUNICATION ]

16/04/2013 : vendor contacted
17/04/2013: automatic response from vendor but no reponse after
17/04/2013: vendor contacted again but no response
29/04/2013.- PUBLIC DISCLOSURE

1 comentario:

  1. Are you facing errors in trading bitcoin in Blockchain account? Are you unable to carry out selling and buying process in Blockchain? Whenever you be under such situations, you can simply make a call on Blockchain phone number which is functional all the time. The team is always ready to help you and makes sure to serve the best solutions. Connecting them is an easy task as users are always there to help you out in every possible way. You can always contact them to avail solutions that are accessible.

    ResponderEliminar