Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtPedro Guillen Nunez1337DAY-ID-21194
HistorySep 03, 2013 - 12:00 a.m.

FuzeZip 1.0 SEH Buffer Overflow Vulnerability

2013-09-0300:00:00
Pedro Guillen Nunez
0day.today
31

0.001 Low

EPSS

Percentile

34.6%

JSON

FuzeZip version 1.0.0.131625 suffers from a SEH based overflow and stack based overflow which is protected by stack cookies.

Title: SEH BUFFER OVERFLOW IN FUZEZIP V.1.0
  Severity: High
  History: 16.Apr.2013 Vulnerability reported
  Authors: Josep Pi Rodriguez, Pedro Guillen Nuñez , Miguel Angel de Castro Simon
  Organization: RealPentesting
  URL: http://www.realpentesting.blogspot.com
  Product: FuzeZip
  Version: 1.0.0.131625
  Vendor: Koyote-Lab Inc
  Url Vendor: http://fuzezip.com/
  Platform: Windows
  Type of vulnerability: SEH buffer overflow
  Issue fixed in version: (Not fixed)
  CVE identifier: CVE-2013-5656

[ DESCRIPTION SOFTWARE ]

From vendor website:
FuzeZip is a sophisticated, yet easy to use, free compression tool that is based on 7-Zip technology.
FuzeZip's software has a powerful compression engine that enables fast zipping and unzipping of Zip archives, as well as creating Zip-compatible files.
FuzeZip has a user-friendly interface that makes creating, opening, extracting and saving compressed files very easy to do.

[ VULNERABILITY DETAILS ]

FuzeZip suffers from a SEH based overflow and stack based overflow which is protected by stack cookies.
Above you can see the debugged process after the seh overflow:

Registers
---------
eax=00000041 ebx=00000000 ecx=00130000 edx=048d6798 esi=0012e434 edi=00000008
eip=004e8bf3 esp=0012dd10 ebp=0012dd48 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 efl=00010206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for fuzeZip.exe -
fuzeZip!boost::archive::detail::iserializer<boost::archive::xml_wiarchive,std::list<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > >::load_object_data+0x41113:
004e8bf3 668901          mov     word ptr [ecx],ax ds:0023:00130000=6341
Seh chain
----------
0012de34: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012dfbc: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012e100: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012e2ac: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012ec1c: fuzeZip+10041 (00410041)
Invalid exception stack at 00410041

By opening a specially crafted zip file, it is possible to execute arbitrary code.We can sucesfully exploit the vulnerability in order to gain code execution and
bypassing SAFESEH.

[ VENDOR COMMUNICATION ]

16/04/2013 : vendor contacted
17/04/2013: automatic response from vendor but no reponse after
17/04/2013: vendor contacted again but no response
29/04/2013.- PUBLIC DISCLOSURE

#  0day.today [2018-02-17]  #

Related

cvelist 1
cve 1
prion 1
nvd 1
cvelist
cvelist
CVE-2013-5656
2020-01-07 16:35:23
cve
cve
CVE-2013-5656
2020-01-07 17:15:10
prion
prion
Buffer overflow
2020-01-07 17:15:00
nvd
nvd
CVE-2013-5656
2020-01-07 17:15:10

0.001 Low

EPSS

Percentile

34.6%

JSON
Related for 1337DAY-ID-21194
cvelist1cve1prion1nvd1