首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FuzeZip 1.0 SEH Buffer Overflow Vulnerability
来源:http://www.realpentesting.blogspot.com 作者:Nunez 发布时间:2013-09-10  
Title: SEH BUFFER OVERFLOW IN FUZEZIP V.1.0
  Severity: High
  History: 16.Apr.2013 Vulnerability reported
  Authors: Josep Pi Rodriguez, Pedro Guillen Nuñez , Miguel Angel de Castro Simon
  Organization: RealPentesting
  Product: FuzeZip
  Version: 1.0.0.131625
  Vendor: Koyote-Lab Inc
  Url Vendor: http://fuzezip.com/
  Platform: Windows
  Type of vulnerability: SEH buffer overflow
  Issue fixed in version: (Not fixed)
  CVE identifier: CVE-2013-5656
  
[ DESCRIPTION SOFTWARE ]
  
From vendor website:
FuzeZip is a sophisticated, yet easy to use, free compression tool that is based on 7-Zip technology.
FuzeZip's software has a powerful compression engine that enables fast zipping and unzipping of Zip archives, as well as creating Zip-compatible files.
FuzeZip has a user-friendly interface that makes creating, opening, extracting and saving compressed files very easy to do.
  
[ VULNERABILITY DETAILS ]
  
FuzeZip suffers from a SEH based overflow and stack based overflow which is protected by stack cookies.
Above you can see the debugged process after the seh overflow:
  
Registers
---------
eax=00000041 ebx=00000000 ecx=00130000 edx=048d6798 esi=0012e434 edi=00000008
eip=004e8bf3 esp=0012dd10 ebp=0012dd48 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 efl=00010206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for fuzeZip.exe -
fuzeZip!boost::archive::detail::iserializer<boost::archive::xml_wiarchive,std::list<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > >::load_object_data+0x41113:
004e8bf3 668901          mov     word ptr [ecx],ax ds:0023:00130000=6341
Seh chain
----------
0012de34: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012dfbc: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012e100: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012e2ac: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012ec1c: fuzeZip+10041 (00410041)
Invalid exception stack at 00410041
  
By opening a specially crafted zip file, it is possible to execute arbitrary code.We can sucesfully exploit the vulnerability in order to gain code execution and
bypassing SAFESEH.
  
[ VENDOR COMMUNICATION ]
  
16/04/2013 : vendor contacted
17/04/2013: automatic response from vendor but no reponse after
17/04/2013: vendor contacted again but no response
29/04/2013.- PUBLIC DISCLOSURE

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PWStore 2010.8.30.0 Cross Site
·WinArchiver 3.2 SEH Buffer Ove
·GreenBrowser 6.4.0515 - Heap O
·Fog Dragonfly 0.8.2 Command In
·Oracle Java lookUpByteBI - Hea
·freeFTPd 1.0.10 PASS Command S
·PotPlayer 1.5.39036 (.wav) - C
·HP SiteScope Remote Code Execu
·Wiz 5.0.3 User Mode Write Acce
·MS13-055 Microsoft Internet Ex
·HP LoadRunner lrFileIOService
·Watchguard Server Center 11.7.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved