def-2001-09: Winzip32 zipandemail Buffer Overflow

2001-03-03T00:00:00
ID SECURITYVULNS:DOC:1346
Type securityvulns
Reporter Securityvulns
Modified 2001-03-03T00:00:00

Description

====================================================================== Defcom Labs Advisory def-2001-09

            Winzip32 zipandemail Buffer Overflow

Author: Peter Grьndl <peter.grundl@defcom.com> Release Date: 2001-03-02 ====================================================================== ------------------------=[Brief Description]=------------------------- Winzip contains an exploitable buffer overflow flaw that could allow an attacker to execute arbitrary code under the user context of the user or service running winzip.

------------------------=[Affected Systems]=-------------------------- - Winzip 8.0 for Windows NT/2000

----------------------=[Detailed Description]=------------------------ The /zipandemail option in winzip contains a buffer overflow flaw when handling very long filenames. The EIP is overwritten and a carefully crafted filename could allow for execution of arbitrary code.

The probability of this happening "in the wild" is very low, as the overflow only triggers if winzip is used with this option.

Theoretically, this could occur when a .jpg with a malformed filename is 'zipped and emailed'. Alternatively if an attacker managed to place a malicious file in the log directory on an automated logging systemґ then the automated zipping and emailing of the log would trigger the overflow.

---------------------------=[Workaround]=----------------------------- Don't use the /zipandemail function indescrimantely before a fix has been released.

-------------------------=[Vendor Response]=-------------------------- The Vendor was contacted December 18th, 2000 and replied:

"Hopefully this will be corrected in the next version, fortunately this doesn't seem to a problem that many people will run into."

We agree with this statement, yet, feel that people using winzip for eg. automated log collecting should be aware of this flaw.

====================================================================== This release was brought to you by Defcom Labs

          labs@defcom.com             www.defcom.com

======================================================================