|------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | secur...@corelan.be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------|
Advisory : CORELAN-10-032 Disclosure date : 21st Apr 2010 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-032 0x00 : Vulnerability information [+] Product : Easyzip 2000 [+] Version : 3.5 [+] Vendor : http://www.thefreesite.com/ [+] URL : http://www.thefreesite.com/ezip35.exe [+] Type of vulnerability : Local Buffer Overflow [+] Risk rating : High [+] Issue fixed in version : none [+] Vulnerability discovered by : mr_me [+] Greetings to : The Corelan Security Team (http://www.corelan.be:8800/index.php/security/corelan-team-members/) 0x01 : Vendor description of software >From the vendor website: This freeware utility is a powerful, easy-to-use FREE zip and unzip utility. It offers all the features you'd find in the commercial compression programs. 0x02 : Vulnerability details Local Stack Overflow: When the application receives a malicious '.zip' file it fails to properly sanitize the 'filename' section on the zip resulting in a stack based buffer overflow. 0x03 : Vendor communication [*] 8th Apr, 2010 : Vendor contacted [*] 18th Apr, 2010 : Vendor reminded of vulnerability [*] 25th Apr, 2010 : No response [*] 25th Apr, 2010 : Public Disclosure 0x04 : Exploit/PoC http://www.corelan.be:8800/advisories.php?id=CORELAN-10-032 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/