首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WinArchiver 3.2 SEH Buffer Overflow Vulnerability
来源:http://www.realpentesting.blogspot.com 作者:Nunez 发布时间:2013-09-10  
Title: SEH BUFFER OVERFLOW IN WINARCHIVER V.3.2
  Severity: Critical
  History: 24.Apr.2013 Vulnerability reported
  Authors: Josep Pi Rodriguez, Pedro Guillen Nuñez , Miguel Angel de Castro Simon
  Organization: RealPentesting
  Product: WinArchiver
  Version: 3.2
  Vendor: PowerSoftware
  Url Vendor: http://winarchiver.com
  Platform: Windows
  Type of vulnerability: SEH buffer overflow
  Issue fixed in version: (Not fixed)
  CVE identifier: CVE-2013-5660
  
[ DESCRIPTION SOFTWARE ]
  
From vendor website:
WinArchiver is a powerful archive utility, which can open, create, and manage archive files. It supports almost all archive formats, including zip, rar, 7z, iso, and other popular formats. WinArchiver can also mount the archive to a virtual drive without extraction.
  
[ VULNERABILITY DETAILS ]
  
WinArchiver suffers from a SEH based overflow
Above you can see the debugged process after the seh overflow. As you can see in the bold letters the structure exception handler (seh) has overwritten by 00410041 which is manipulated by us. The proof of concept .zip file is attached in this mail. You have to open the .zip with WinArchiver and click the extract button in order to trigger the vulnerability.
  
Registers
---------
eax=00000041 ebx=000017a6 ecx=043b0000 edx=7fffdf41 esi=043aed84 edi=043aed58
eip=004e64cb esp=043ae8cc ebp=043ae8d0 iopl=0         nv up ei pl nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010213
*** ERROR: Module load completed but symbols could not be loaded for C:\Archivos de Programa\WinArchiver\WinArchiver.exe
WinArchiver+0xe64cb:
004e64cb 668901          mov     word ptr [ecx],ax        ds:0023:043b0000=????
Seh chain
----------
!exchain
043aff0c: WinArchiver+10041 (00410041)
Invalid exception stack at 00410041
  
By opening a specially crafted zip file, it is possible to execute arbitrary code.We can sucesfully exploit the vulnerability in order to gain code execution.
  
[ VENDOR COMMUNICATION ]
  
20/04/2013 : vendor contacted.No response
24/04/2013 : vendor contacted again.No response
29/04/2013:  PUBLIC DISCLOSURE
  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FuzeZip 1.0 SEH Buffer Overflo
·Fog Dragonfly 0.8.2 Command In
·PWStore 2010.8.30.0 Cross Site
·freeFTPd 1.0.10 PASS Command S
·GreenBrowser 6.4.0515 - Heap O
·HP SiteScope Remote Code Execu
·Oracle Java lookUpByteBI - Hea
·MS13-055 Microsoft Internet Ex
·PotPlayer 1.5.39036 (.wav) - C
·Watchguard Server Center 11.7.
·Wiz 5.0.3 User Mode Write Acce
·eM Client e-mail client v5.0.1
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved