[vuln.sg] DynaZip DZIP32.DLL/DZIPS32.DLL Buffer Overflow Vulnerabilities

Some vulnerabilities have been found in DynaZip DZIP32.DLL/DZIPS32.DLL. When exploited, the vulnerabilities allow execution of arbitrary code when the user fixes (repairs) a malicious ZIP archive, or add/update/freshen files in a malicious ZIP archive.

This advisory discloses some buffer overflow vulnerabilities in DynaZip DZIP32.DLL/DZIPS32.DLL. The stack-based buffer overflows occur when DZIP32.DLL/DZIPS32.DLL is attempting to fix (repair) a ZIP archive that contains a file with an overly long filename, or when attempting to add/update/freshen files in a malicious ZIP archive. It is possible to exploit the buffer overflows to execute arbitrary code.

In order to exploit this vulnerability successfully, the user must be convinced to:

The buffer overflows occur in DZIP32.DLL version 5.0.0.7 that is distributed with DynaZip Max, and also exist in DZIPS32.DLL version 6.0.0.4 that is distributed with DynaZip Max Secure.

The buffer overflows occur in functions that resemble the following in DZIP32.DLL/DZIPS32.DLL.

Buffer Overflow 1:

This function is called when the user "Fix" (Repair) an archive or "Add" files to an archive.


func_20011D10(arg_0, arg_4, arg_8)
{
	DWORD var1;
	DWORD var2;
	DWORD var3;
	DWORD bytesToWrite;
	DWORD bytesWritten;
	char buffer[0x800];		// 2048 bytes
	
	...
	var1 = 0;
	var2 = 0;
	var3 = 0;
	...
	...
	// Both cases will cause buffer overflow in "buffer"
	// when filename of compressed file is > 2048 bytes
	
	if(arg_8->someFlag == 0)
		CharToOemA(arg_0->NameOfCompressedFile, buffer);
	else
		lstrcpyA(buffer, arg_0->NameOfCompressedFile);
	...
	...
	...
}

Buffer Overflow 2:

This function in DZIP32.DLL will be called using the filename of the compressed files in a ZIP archive when DZIP32.DLL is used to "Update" or "Freshen" files in the archive. i.e. The filename argument contains the filename of the compressed files in the ZIP archive.

	
func_2000C840(char *filename, arg_4, arg_8, arg_c)
{
	DWORD unknown_var;
	WORD fatTime;
	WORD fatDate;
	FILETIME localFileTime;
	LPWIN32_FIND_DATA findFileData;
	char buffer[0x800]				// 2048 bytes
	
	if(filename != NULL)
	{
		if(filename != arg_c->someVar)
		{
			strlen(filename);
			if(filename != arg_c->someVar2)
			{
				// Buffer overflow in "buffer" when filename of
				// compressed file is > 2048 bytes
        
				lstrcpyA(buffer, filename);
				...
				...
				...
				...
			}
		}
	}
	
}

The following POC ZIP file will exploit the vulnerability in DZIP32.DLL/DZIPS32.DLL to execute the harmless calculator (calc.exe). The POC has been successfully tested on English Windows XP SP2.

Instructions for reproducing buffer overflow in Fix (Repair) archive:

Compile the "zipfixer" VC6 sample application that uses DZIP32.DLL.
Run the compiled "zipfixer" sample application.
Type the name of the POC ZIP file in the text box. i.e. dzip32EXPzip.zip
Click on the "Fix It!" button.
Successful exploit will run calculator (calc.exe). Failed exploit will crash "zipfixer".

Alternatively:

Run the "DynaZip Shell" sample application.
Click on the "Open Existing ZIP..." button.
Select the POC ZIP file in the File-Open Dialog box and click "Open". i.e. dzip32EXPzip.zip
From the menu, select "File->Fix ZIP File"
Successful exploit will run calculator (calc.exe). Failed exploit will crash "DynaZip Shell".

Instructions for reproducing buffer overflow in Update/Freshen archive:

Run the "DynaZip Zip Diagnostic" sample application.
Click on the "Browse.." button and select the POC ZIP file. i.e. dzip32CRASHzip.zip
Select "FRESHEN" or "UPDATE" in the "Function:" pull-down combo box.
Click on the "dzip" button.
This will cause the application to crash due to overwritten EIP (as shown below). Attach a debugger to the process to observe the overwritten EIP.

2006-07-04 - Vulnerability Discovered.
2006-07-12 - Initial Vendor Notification.
2006-07-12 - Initial Vendor Reply.
2006-07-23 - Fixed Versions Released.
2006-07-25 - Public Release.