[vuln.sg] Lhaz LHA Long Filename Buffer Overflow Vulnerability

Some vulnerabilities have been found in Lhaz. When exploited, the vulnerabilities allow execution of arbitrary code when the user extracts a malicious LZH archive.

This advisory discloses two buffer overflow vulnerabilities in Lhaz. The stack-based buffer overflow vulnerabilities occur when Lhaz is extracting a LZH file that contains a compressed file with an overly long filename.

The first buffer overflow occurs due to Lhaz failing to validate the length of the filename before copying it into a 260-bytes stack buffer. The second overflow occurs when Lhaz is constructing an error message containing the overly long filename using the unsafe "sprintf()" function. Both buffer overflow vulnerabilities allow the saved EIP to be overwritten. Arbitrary code execution has been confirmed using both vulnerabilities.

NOTE: The first vulnerability is related to CVE-2004-0234 and CVE-2004-0769, which was first reported by Ulf Harnhammar and Lukasz Wojtow, since the LZH extraction code used in Lhaz is based on LHa for UNIX version 1.14d.

In order to exploit the vulnerabilities successfully, the user must be convinced to extract a malicious LZH file.

The buffer overflow vulnerabilities occur in a function that resembles the following in Lhaz.exe.

// Possible modified version of extract_one() function.

sub_41D940(arg_0, arg_4, arg_8, arg_c)
{
	DWORD var1;
	time_t utimebuf[2];
	struct stat stbuf;
	char overflowedBuffer[MAX_PATH];	// 260-bytes
	char loadStringBuf[0x20];		// 32-bytes
	char textBuffer[0x100];			// 256-bytes
	
	if(someFlag && strrstr(compressedFilename, '/'))
	{
		// Buffer Overflow when compressedFilename > 260-bytes. (including NULL)
		// 552 bytes is required to overwrite saved EIP.
	
		strcpy(overflowedBuffer, strrstr(compressedFilename, "/') + 1);
	}
	else
	{
		// Buffer Overflow when compressedFilename > 260-bytes. (including NULL)
		// 552 bytes is required to overwrite saved EIP.
		
		strcpy(overflowedBuffer, compressedFilename);
		sub_529A70(overflowedBuffer, '/');
	}
	
	...
	...
	...
	...
	...
	if (... && calculatedFileCRC != fileCRC)
	{
		LoadStringA(hInstance, 0x2A, &stbuf, 32);
		LoadStringA(hInstance, 0x76, loadStringBuf, 32);
		
		// This code may be Lhaz specific, and is executed only when the compressed file can be 
		// extracted, but the CRC do not match.
		// Note: The name of the compressed file must not be too long such that it can't be
		// created.  
		
		// Buffer overflow occurs due to unsafe use of sprintf() to construct the 
		// "File ...compressFileName.... is damaged" error message.
	
		sprintf(textBuffer, "%s %s %s", &stbuf, overflowedBuffer, loadStringBuf);
		MessageBox(hWnd, textBuffer, NULL, MB_OKCANCEL | MB_ICONEXCLAMATION | MB_APPLMODAL);
	}
			
	...
	...
}

The following screen capture shows the saved EIP being overwritten by the "sprintf()" overflow. You may need to configure your English Windows to display non-unicode programs in Japanese. Otherwise, results will be different.

The following POC LZH files will exploit the vulnerability in Lhaz to execute the harmless calculator (calc.exe). The POC has been successfully tested on Windows XP SP2 and Windows 2000 SP4.

NOTE: You may need to configure your English Windows to display non-unicode programs in Japanese. Otherwise, results will be different.

Instructions:

Download and save the POC files in C:\test
Run Lhaz.
From Lhaz, open one of the POC files.
Choose "Extract to current directory" in Lhaz to extract the file.
Successful exploit will run calculator (calc.exe). Failed exploit will crash Lhaz.

2006-08-02 - Vulnerability Discovered.
2006-08-03 - Initial Vendor Notification.
2006-08-06 - Vendor Released Fixed Version.
2006-08-06 - Public Release.