by Tan Chew Keong
Release Date: 2006-07-25
Some vulnerabilities have been found in DynaZip DZIP32.DLL/DZIPS32.DLL. When exploited, the vulnerabilities allow execution of arbitrary code when the user fixes (repairs) a malicious ZIP archive, or add/update/freshen files in a malicious ZIP archive.
- DynaZip Max (Evaluation Version) with DZIP32.DLL version 18.104.22.168
- DynaZip Max Secure (Evaluation Version) with DZIPS32.DLL version 22.214.171.124
This advisory discloses some buffer overflow vulnerabilities in DynaZip DZIP32.DLL/DZIPS32.DLL. The stack-based buffer overflows occur when DZIP32.DLL/DZIPS32.DLL is attempting to fix (repair) a ZIP archive that contains a file with an overly long filename, or when attempting to add/update/freshen files in a malicious ZIP archive. It is possible to exploit the buffer overflows to execute arbitrary code.
In order to exploit this vulnerability successfully, the user must be convinced to:
- Fix (Repair) a malicious ZIP file, or,
- Add, Update or Freshen a file to a malicious ZIP file.
The buffer overflows occur in DZIP32.DLL version 126.96.36.199 that is distributed with DynaZip Max, and also exist in DZIPS32.DLL version 188.8.131.52 that is distributed with DynaZip Max Secure.
The buffer overflows occur in functions that resemble the following in DZIP32.DLL/DZIPS32.DLL.
Buffer Overflow 1:
This function is called when the user "Fix" (Repair) an archive or "Add" files to an archive.
func_20011D10(arg_0, arg_4, arg_8)
char buffer[0x800]; // 2048 bytes
var1 = 0;
var2 = 0;
var3 = 0;
// Both cases will cause buffer overflow in "buffer"
// when filename of compressed file is > 2048 bytes
if(arg_8->someFlag == 0)
Buffer Overflow 2:
This function in DZIP32.DLL will be called using the filename of the compressed files in a ZIP archive when DZIP32.DLL is used to "Update" or "Freshen" files in the archive. i.e. The filename argument contains the filename of the compressed files in the ZIP archive.
func_2000C840(char *filename, arg_4, arg_8, arg_c)
char buffer[0x800] // 2048 bytes
if(filename != NULL)
if(filename != arg_c->someVar)
if(filename != arg_c->someVar2)
// Buffer overflow in "buffer" when filename of
// compressed file is > 2048 bytes
POC / Test Code
The following POC ZIP file will exploit the vulnerability in DZIP32.DLL/DZIPS32.DLL to execute the harmless calculator (calc.exe). The POC has been successfully tested on English Windows XP SP2.
- dzip32EXPzip.zip (exploits the overflow in ZIP Fix (Repair) functionality to run calc.exe)
- dzip32CRASHzip.zip (crashes an application that uses DZIP32.DLL/DZIPS32.DLL by overwriting saved EIP)
Instructions for reproducing buffer overflow in Fix (Repair) archive:
- Compile the "zipfixer" VC6 sample application that uses DZIP32.DLL.
- Run the compiled "zipfixer" sample application.
- Type the name of the POC ZIP file in the text box. i.e. dzip32EXPzip.zip
- Click on the "Fix It!" button.
- Successful exploit will run calculator (calc.exe). Failed exploit will crash "zipfixer".
- Run the "DynaZip Shell" sample application.
- Click on the "Open Existing ZIP..." button.
- Select the POC ZIP file in the File-Open Dialog box and click "Open". i.e. dzip32EXPzip.zip
- From the menu, select "File->Fix ZIP File"
- Successful exploit will run calculator (calc.exe). Failed exploit will crash "DynaZip Shell".
Instructions for reproducing buffer overflow in Update/Freshen archive:
- Run the "DynaZip Zip Diagnostic" sample application.
- Click on the "Browse.." button and select the POC ZIP file. i.e. dzip32CRASHzip.zip
- Select "FRESHEN" or "UPDATE" in the "Function:" pull-down combo box.
- Click on the "dzip" button.
- This will cause the application to crash due to overwritten EIP (as shown below). Attach a debugger to the process to observe the overwritten EIP.
Patch / Workaround
Update to DZIP32.DLL version 184.108.40.206 or DZIPS32.DLL version 220.127.116.11.
2006-07-04 - Vulnerability Discovered.
2006-07-12 - Initial Vendor Notification.
2006-07-12 - Initial Vendor Reply.
2006-07-23 - Fixed Versions Released.
2006-07-25 - Public Release.