SecuriTeam - CheckMark MultiLedger Buffer Overflow Vulnerability (DUNZIP32.dll)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CheckMark MultiLedger - "A proven integrated, networkable financial package for small businesses, MultiLedger is easy to use and installs quickly".

CheckMark MultiLedger accounting system for Windows is confirmed to be affected to a buffer overflow vulnerability due to its usage of a third-party DLL called DUNZIP32.dll.

Credit:
The information has been provided by Juha-Matti Laurio.
The original and article can be found at:
http://www.networksecurity.fi/advisories/multiledger.html

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* CheckMark MultiLedger version 6.0.3. Other versions may also be affected.
* DynaZip library version 3.0.0.14 (According to InnerMedia version 5.00.03 and prior are affected)

Related advisories:
Windows Shell ZIP File Decompression DUNZIP32.DLL Buffer Overflow

The vulnerability is caused due to a boundary error in a 3rd-party compression library's (DUNZIP32.dll) old, vulnerable version used in company data restore functions. This can be exploited to cause a buffer overflow via a specially crafted company backup file. When a specially crafted .zip backup file containing a file with an overly long filename (a file name or files inside a ZIP) is opened, the application will crash and the attacker may be able to execute arbitrary code on user's system.

Vendor Status:
An updated software version 7.0.2 is available from vendor:
http://www.checkmark.com/support/patch_win_ml.php
"Installation Instructions: You need at least version 7.0 of MultiLedger for Windows in order to run this patch."

Software Updates for Registered Users:
http://www.checkmark.com/order/updates.php

Workaround:
As a workaround, Dunzip32.dll library can be deleted or renamed, or un-registered with the Windows "Regsvr32 /u" command.
NOTE: This method breaks application's Backup and Restore functions and is not recommended.

Disclosure Timeline:
* 24-Jan-2005 - Vulnerability researched and confirmed
* 24-Jan-2005 - Vendor was contacted, workarounds delivered to the vendor
* 24-Jan-2005 - Vendor's reply to CheckMark for Windows vulnerability
* 04-Mar-2005 - Vendor informed about upcoming, fixed version
* 11-Oct-2005 - Detailed research
* 26-Oct-2005 - Vendor was contacted again
* 26-Oct-2005 - Vendor's reply, vulnerability is fixed
* 28-Oct-2005 - Security companies and several CERT units contacted

	Microsoft Indeo Codec Memory Corruption Vulnerability
	HP DDMI Execution of Arbitrary Code
	Microsoft Windows License Logging Service Heap Corruption Vulnerability
	Microsoft Office Excel Code Execution Vulnerabilities
	Microsoft SharePoint 2007 ASP.NET Source Code Disclosure
	Microsoft Windows Local Security Authority Integer Overflow Vulnerability
	Windows Kernel Multiple Vulnerabilities
	Microsoft Windows ActiveX Indexing Service Memory Corruption Vulnerability
	Microsoft IIS FTP Service Code Execution and DoS Vulnerability
	Microsoft GDI+ Multiple Vulnerabilities
	Microsoft .NET Common Language Runtime Multiple Vulnereabilities
	Microsoft Active Template Library ActiveX Controls Multiple Vulnerabilities
	ActiveX Active Template Library Initialization Vulnerability
	Internet Explorer Multiple Remote Code Execution Vulnerabilities
	Windows Media Player ASF File Remote Code Execution