Secunia Research: SpeedProject Products ZIP/UUE File Extraction Buffer Overflow

2005-11-26T00:00:00
ID SECURITYVULNS:DOC:10386
Type securityvulns
Reporter Securityvulns
Modified 2005-11-26T00:00:00

Description

======================================================================

                 Secunia Research 24/11/2005
  • SpeedProject Products ZIP/UUE File Extraction Buffer Overflow -

====================================================================== Table of Contents

Affected Software....................................................1 Severity.............................................................2 Description of Vulnerability.........................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Secunia........................................................8 Verification.........................................................9

====================================================================== 1) Affected Software

  • ZipStar 5.0 Build 4285
  • Squeez 5.0 Build 4285
  • SpeedCommander 11.0 Build 4430
  • SpeedCommander 10.51 Build 4430

Prior versions may also be affected.

====================================================================== 2) Severity

Rating: Moderately Critical Impact: System access Where: Remote

====================================================================== 3) Description of Vulnerability

Secunia Research has discovered two vulnerabilities in various SpeedProject products, which can be exploited by malicious people to compromise a user's system.

1) A boundary error exists in CxZIP60.dll and CxZIP60u.dll due to the unsafe use of the "lstrcat()" function when constructing the full pathname of a file that is extracted from a ZIP archive. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution when a specially crafted archive is extracted.

The vulnerability has been confirmed in the following products. * ZipStar 5.0 Build 4285 * Squeez 5.0 Build 4285 * SpeedCommander 11.0 Build 4430 * SpeedCommander 10.51 Build 4430

2) A boundary error exists in CxUux60.dll and CxUux60u.dll due to the unsafe use of the "lstrcpy()" function when constructing the full pathname of the file that is decoded from a UUE file. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution when a specially crafted UUE file is decoded.

The vulnerability has been confirmed in the following products. * Squeez 5.0 Build 4285 * SpeedCommander 11.0 Build 4430 * SpeedCommander 10.51 Build 4430

====================================================================== 4) Solution

Update to the fixed versions.

SpeedCommander 10: Update to version 10.52 Build 4450.

SpeedCommander 11: Update to version 11.01 Build 4450.

Squeez 5.0: Update to Squeez 5.10 Build 4460.

ZipStar 5.0: Update to ZipStar 5.10 Build 4460.

====================================================================== 5) Time Table

03/11/2005 - Initial vendor notification. 03/11/2005 - Initial vendor reply. 17/11/2005 - Vendor released fixed versions. 24/11/2005 - Public disclosure.

====================================================================== 6) Credits

Discovered by Tan Chew Keong, Secunia Research.

====================================================================== 7) References

No other references.

====================================================================== 8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

====================================================================== 9) Verification

Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-60/advisory/

Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/

======================================================================