vuln.sg  

vuln.sg Vulnerability Research Advisory

PowerZip Long Filename Handling Buffer Overflow Vulnerability

by Tan Chew Keong
Release Date: 2006-08-23

   [en] [jp]

Summary

A vulnerability has been found in PowerZip. When exploited, the vulnerability allows execution of arbitrary code when the user opens a malicious ZIP archive.


Tested Versions

PowerZip version 7.06 Build 3895.


Details

This advisory discloses a buffer overflow vulnerability in PowerZip. The stack-based buffer overflow occurs when PowerZip is processing an archive that contains a file with an overly long filename. It is possible to exploit the buffer overflow to execute arbitrary code on Windows 2000 SP4 via a malicious ZIP file. On Windows XP SP2 systems, PowerZip will be terminated by the Data Execution Prevention (DEP) feature.

In order to exploit this vulnerability successfully, the user must be convinced to open a malicious ZIP file.


The buffer overflow occurs in a function that resembles the following in PowerZip.exe.

	
func_50E1A0(arg_0, .., .., ..)
{
	...
	CString nameOfCompressedFile;
	LVCOLUMN lvc;
	...
	lvc.mask = LVCF_SUBITEM;
	SendMessage(hWnd, LVM_GETCOLUMN, arg_0->iCol, &lvc);
	...
	if(arg_0->someFlag != 1)
	{
		switch(lvc.iSubItem)
		{
			case 0:
				if(arg_0->someStruct->someStruct2->someFlag != 0)
				{
					nameOfCompressedFile = 
					arg_0->someStruct->someStruct2->compressedFilenameCString;
				}
				else
					...
				break;
			case 1:
				CDTPath 
				var_180(arg_0->someStruct->someStruct2->CDTTimeVar.GetShortDate());
				...
				...
				break;
			case 2:
				break;
				...
				...
				...
		}
		
		// This causes a stack-based buffer overflow when the name of a compressed 
		// file (from a ZIP archive) is overly long.
		
		strcpy(arg_0->stackBuffer, nameOfCompressedFile->GetBuffer(0));
		
		nameOfCompressedFile->ReleaseBuffer(-1);
		...
		...
	}
	...
	...
}

 


POC / Test Code

The following POC ZIP file will exploit the vulnerability in PowerZip to execute the harmless calculator (calc.exe). The POC has been successfully tested on English Windows 2000 SP4.

  • powerzipEXP.zip (exploits the overflow to run calc.exe. This requires that PowerZip is used in English Windows 2000 SP4)
  • powerzipCRASH.zip (crashes PowerZip by overrunning the stack)


Instructions:

  1. Run PowerZip
  2. Click on the "Open" button or select "File->Open Archive" from the menu.
  3. Select the POC ZIP file from the File-Open Dialog Box and click "Open".
  4. Successful exploit will run calculator (calc.exe). Failed exploit will crash PowerZip.
 


Patch / Workaround

Update to version 7.07 Build 3901.


Disclosure Timeline

2006-08-10 - Vulnerability Discovered.
2006-08-12 - Initial Vendor Notification.
2006-08-12 - Initial Vendor Reply.
2006-08-18 - Vendor Released Fixed Version.
2006-08-23 - Public Release.


Contact
For further enquries, comments, suggestions or bug reports, simply email them to