|
Brought to you by:
Suppliers of:
|
|
|
| |
WinZip is an archiving utility for the Microsoft Windows platform featuring built-in support for CAB files and for popular Internet file formats such as TAR, gzip, UUencode, BinHex, and MIME. ARJ, LZH, and ARC files are supported via external programs.
A buffer overflow vulnerability exists in WinZip and allows arbitrary code execution on the target machine when long strings are provided to certain parameters of MIME archives. |
| |
Credit:
The information has been provided by iDEFENSE Security Advisory.
|
| |
Vulnerable Systems:
* WinZip version 8.1 SR-1, possibly prior versions
* WinZip version 9.0 latest beta
Immune Systems:
* WinZip version 9.0
The problem is located in the UUDeview package which is responsible for performing various decoding features. When providing long strings to certain parameters of MIME archives (.mim, .uue, .uu, .b64, .bhx, .hqx and .xxe extensions) WinZip will crash referencing an "internal error in file misc.c line 132". Analysis of the log file created by WinZip upon crash reveals:
Return address = 0x0041a923
Return address = 0x0044c06c
Return address = 0x41414141
While the offending instruction is located at:
0049c332: mov dword ptr [ecx+08], edi
Both the ECX and EDI registers are user controllable and thus allow a user to craft a MIME archive that can execute code on the target machine. For successful exploitation, a victim has to be convinced to open the crafted MIME archive and must have a vulnerable version of WinZip.
Workaround
User awareness is the best method of defense against this class of attack. Users must be wary when opening attachments or following links from untrusted sources. Removal of the extension handler for vulnerable file types can prevent exploitation from double clicking on what may appear to be a harmless WinZip archive. This can be done from Windows Explorer using the Tools -> Folder Options.
|
|
|
|
|
