Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2004-0769 to a friend New vulnerability? New tool? Tell us	CVE-2004-0769 Lhaz LHA Long Filename Buffer Overflow     Credit: The information has been provided by Tan Chew Keong. The original article can be found at: http://vuln.sg/lhaz131-en.html Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2004-0769 Details Check for CVE-2004-0769 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner This advisory discloses two buffer overflow vulnerabilities in Lhaz. The stack-based buffer overflow vulnerabilities occur when Lhaz is extracting a LZH file that contains a compressed file with an overly long filename. The first buffer overflow occurs due to Lhaz failing to validate the length of the filename before copying it into a 260-bytes stack buffer. The second overflow occurs when Lhaz is constructing an error message containing the overly long filename using the unsafe "sprintf()" function. Both buffer overflow vulnerabilities allow the saved EIP to be overwritten. Arbitrary code execution has been confirmed using both vulnerabilities. NOTE: The first vulnerability is related to CVE-2004-0234 and CVE-2004-0769, which was first reported by Ulf Harnhammar and Lukasz Wojtow, since the LZH extraction code used in Lhaz is based on LHa for UNIX version 1.14d. In order to exploit the vulnerabilities successfully, the user must be convinced to extract a malicious LZH file. The buffer overflow vulnerabilities occur in a function that resembles the following in Lhaz.exe. // Possible modified version of extract_one() function. sub_41D940(arg_0, arg_4, arg_8, arg_c) {  DWORD var1;  time_t utimebuf[2];  struct stat stbuf;  char overflowedBuffer[MAX_PATH]; // 260-bytes  char loadStringBuf[0x20]; // 32-bytes  char textBuffer[0x100]; // 256-bytes    if(someFlag && strrstr(compressedFilename, '/'))  {   // Buffer Overflow when compressedFilename > 260-bytes. (including NULL)   // 552 bytes is required to overwrite saved EIP.     strcpy(overflowedBuffer, strrstr(compressedFilename, "/') + 1);  }  else  {   // Buffer Overflow when compressedFilename > 260-bytes. (including NULL)   // 552 bytes is required to overwrite saved EIP.      strcpy(overflowedBuffer, compressedFilename);   sub_529A70(overflowedBuffer, '/');  }    ...  ...  ...  ...  ...  if (... && calculatedFileCRC != fileCRC)  {   LoadStringA(hInstance, 0x2A, &stbuf, 32);   LoadStringA(hInstance, 0x76, loadStringBuf, 32);      // This code may be Lhaz specific, and is executed only when the compressed file can be   // extracted, but the CRC do not match.   // Note: The name of the compressed file must not be too long such that it can't be   // created.      // Buffer overflow occurs due to unsafe use of sprintf() to construct the   // "File ...compressFileName.... is damaged" error message.     sprintf(textBuffer, "%s %s %s", &stbuf, overflowedBuffer, loadStringBuf);   MessageBox(hWnd, textBuffer, NULL, MB_OKCANCEL | MB_ICONEXCLAMATION | MB_APPLMODAL);  }      ...  ... } Solution: Upgrade to Lhaz version 1.32. Disclosure Timeline: 2006-08-02 - Vulnerability Discovered. 2006-08-03 - Initial Vendor Notification. 2006-08-06 - Vendor Released Fixed Version. 2006-08-06 - Public Release.  Comments on CVE-2004-0769:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®