|------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | secur...@corelan.be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------|
Advisory : CORELAN-10-019 Disclosure date : 3rd Apr 2010 0x00 : Vulnerability information ——————————– [*] Product : zip-unzip [*] Version : 6.x [*] Vendor : http://www.microviet.com/ [*] URL : http://www.microviet.com/free/zipunzip.EXE [*] Type of vulnerability : Local Stack Overflow [*] Risk rating : High [*] Issue fixed in version : none [*] Vulnerability discovered by : mr_me [*] Greetings to : The Corelan Security Team (http://www.corelan.be:8800/index.php/security/corelan-team-members/) 0x01 : Vendor description of software ————————————- >From the vendor website: No description 0x02 : Vulnerability details —————————- Local Stack Overflow: When the application recieves a malicous .zip file it can cause a buffer overflow in the 'filename' buffer of the application, resulting in code execution in the context of the currently logged in user. 0x03 : Vendor communication ————————— [*] 23rd Mar, 2010 : Vendor contacted [*] 30th Mar, 2010 : Vendor reminded of vulnerability [*] 3rd Apr, 2010 : No contact [*] 3rd Apr, 2010 : Public Disclosure 0x04 : Exploit/PoC —————— http://net-ninja.net/blog/media/blogs/b/exploits/zipunzip.php.txt _________________________________________________________________ If It Exists, You'll Find it on SEEK. Australia's #1 job site http://clk.atdmt.com/NMN/go/157639755/direct/01/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/