by Tan Chew Keong
Release Date: 2006-11-19
A vulnerability has been found in Turbo Searcher. When exploited, the vulnerability allows execution of arbitrary code when the user performs a search in a directory that contains a malicious ARJ archive.
- Turbo Searcher Standard Edition version 3.30 build 052705.
- Turbo Searcher Network Edition version 3.30 build 052705.
This advisory discloses a buffer overflow vulnerability in Turbo Searcher. The stack-based buffer overflow occurs due to a boundary error in the 7-Zip ARJ plugin (arj.dll) used by Turbo Searcher. It is possible to exploit the buffer overflow to execute arbitrary code.
In order to exploit this vulnerability successfully, the user must be convinced to perform a search in a directory that contains a malicious ARJ archive. In addition, the "Quick Search" option must be disabled and the "Search in compressed file" option must be enabled.
The buffer overflow occurs in arj.dll (version 220.127.116.11) that is distributed with Turbo Searcher. The vulnerability in 7-Zip ARJ handling code was previously disclosed in Secunia Advisory SA16664.
POC / Test Code
The following POC ZIP file will exploit the vulnerability in Turbo Searcher to execute the harmless calculator (calc.exe). The POC has been successfully tested on English Windows XP SP2.
- ts330EXP.arj (for Turbo Searcher Standard Edition version 3.30)
- tsn330EXP.arj (for Turbo Searcher Network Edition version 3.30)
- Place one of the POC file in a directory e.g. C:\test
- Run Turbo Searcher
- Select C:\test in the Path selection box.
- Uncheck/Disable the "Quick Search" option.
- Check/Enable the "Search in compressed files" option.
- Click on the "Search" button.
- Successful exploit will run calculator (calc.exe). Failed exploit will crash Turbo Searcher.
Patch / Workaround
Turbo Searcher Standard Edition:
Update to version 3.50 Build 061114.
Turbo Searcher Network Edition:
Updated version not released yet. Do not search in untrusted ARJ files.
2006-07-22 - Vulnerability Discovered.
2006-07-24 - Initial Vendor Notification.
2006-07-24 - Initial Vendor Reply.
2006-07-31 - Vendor Reminder Sent.
2006-07-31 - Vendor replied that new version will be released next month.
2006-09-01 - Vendor Reminder Sent.
2006-09-01 - Vendor replied that new version be delayed 7-14 days.
2006-10-24 - Vendor Reminder Sent.
2006-10-26 - Vendor replied that new version will be released end of the month.
2006-11-04 - Vendor Reminder Sent.
2006-11-19 - Public Release (No reply from vendor).
2006-11-23 - Received email from vendor of Japanese version (Updated patch information).