by Tan Chew Keong
Release Date: 2006-08-23
A vulnerability has been found in PowerZip. When exploited, the vulnerability allows execution of arbitrary code when the user opens a malicious ZIP archive.
PowerZip version 7.06 Build 3895.
This advisory discloses a buffer overflow vulnerability in PowerZip. The stack-based buffer overflow occurs when PowerZip is processing an archive that contains a file with an overly long filename. It is possible to exploit the buffer overflow to execute arbitrary code on Windows 2000 SP4 via a malicious ZIP file. On Windows XP SP2 systems, PowerZip will be terminated by the Data Execution Prevention (DEP) feature.
In order to exploit this vulnerability successfully, the user must be convinced to open a malicious ZIP file.
The buffer overflow occurs in a function that resembles the following in PowerZip.exe.
func_50E1A0(arg_0, .., .., ..)
lvc.mask = LVCF_SUBITEM;
SendMessage(hWnd, LVM_GETCOLUMN, arg_0->iCol, &lvc);
if(arg_0->someFlag != 1)
if(arg_0->someStruct->someStruct2->someFlag != 0)
// This causes a stack-based buffer overflow when the name of a compressed
// file (from a ZIP archive) is overly long.
POC / Test Code
The following POC ZIP file will exploit the vulnerability in PowerZip to execute the harmless calculator (calc.exe). The POC has been successfully tested on English Windows 2000 SP4.
- powerzipEXP.zip (exploits the overflow to run calc.exe. This requires that PowerZip is used in English Windows 2000 SP4)
- powerzipCRASH.zip (crashes PowerZip by overrunning the stack)
- Run PowerZip
- Click on the "Open" button or select "File->Open Archive" from the menu.
- Select the POC ZIP file from the File-Open Dialog Box and click "Open".
- Successful exploit will run calculator (calc.exe). Failed exploit will crash PowerZip.
Patch / Workaround
Update to version 7.07 Build 3901.
2006-08-10 - Vulnerability Discovered.
2006-08-12 - Initial Vendor Notification.
2006-08-12 - Initial Vendor Reply.
2006-08-18 - Vendor Released Fixed Version.
2006-08-23 - Public Release.