Home page logo
/

bugtraq logo Bugtraq mailing list archives

R7-0004: Multiple Vendor Long ZIP Entry Filename Processing
From: bugtraq-return-6791 () securityfocus com
Date: Thu, 10 Oct 2002 13:24:43 -0600 (MDT)

Issues
MIME-Version: 1.0
From: "Rapid 7 Security Advisories" <advisory () rapid7 com>
Message-ID:
<OF0EEFF578.DDD32FD6-ON85256C47.001FDFBB-88256C47.001F8C9C () hq rapid7 com>
Date: Wed, 2 Oct 2002 22:48:29 -0700
X-MIMETrack: Serialize by Router on Zion/Rapid7/US(Release 5.0.5
|September 22, 2000) at
 10/03/2002 01:48:36 AM,
                 Serialize complete at 10/03/2002 01:48:36 AM
Content-Type: text/plain; charset="us-ascii"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
                     Rapid 7, Inc. Security Advisory

        Visit http://www.rapid7.com/ to download NeXpose(tm), our
         advanced vulnerability scanner. Linux and Windows 2000
                       versions are available now!
_______________________________________________________________________

   Rapid 7 Advisory R7-0004
   Multiple Vendor Long ZIP Entry Filename Processing Issues

   Published:  October 2, 2002
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0004.txt

   CERT:       CERT Vulnerability Note VU#383779
   http://www.kb.cert.org/vuls/id/383779

   Microsoft:  Microsoft Security Advisory MS02-054
   http://www.microsoft.com/technet/security/bulletin/MS02-054.asp

   CVE:        CAN-2002-0370
   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0370

1. Affected system(s):

   Several different vendors and products were tested.  Many were found
   to be vulnerable.  A partial list of affected vendors follows.

   Detailed results for many vendors are being withheld pending their
   response to the issues described in this advisory.  We encourage
   customers to engage your vendors on this issue if you have any
   questions regarding their handling of specially crafted ZIP files.

   For an up-to-date list of vendor statements, see CERT Vulnerability
   Note VU#383779.

   KNOWN VULNERABLE:
    o Microsoft Windows XP
    o Microsoft Windows ME
    o Microsoft Windows 98 With Plus! Pack
    o Lotus Notes R4
    o Lotus Notes R5
    o Lotus Notes R6 (pre-gold)
    o Verity, Inc. KeyView viewing SDK
    o Aladdin Systems Stuffit Expander (pre 7.0)

   Apparently NOT VULNERABLE:
    o WinRAR is believed to be NOT vulnerable
    o WinZip 8.x is believed to be NOT vulnerable
    o zlib is believed to be NOT vulnerable

2. Summary

   Products and libraries from multiple vendors are deficient
   in their handling of zip files having entries with long
   filenames.  Typically, opening and/or processing these
   crafted zip files will result in the program crashing or
   exhibiting unpredictable behavior.  There is a possibility
   of arbitrary code execution, but no exploits are known at
   this time.

3. Vendor status and information

   This is a partial list of affected products and vendors.
   We will update our advisory as we get feedback from more
   vendors.  You may check back with us at
   ( http://www.rapid7.com/SecurityResearch.html ).

   Microsoft Windows XP
      Explorer.exe crashes when navigating through specially
      crafted ZIP files.

      The shell (Explorer.exe) in Windows XP provides functionality
      to uncompress ZIP files on-the-fly, and presents them as folders
      that users can navigate through.  There exists a buffer overflow
      in this feature which may allow malicious ZIP files to be
      constructed that execute code upon access.  It should be noted
      that Explorer.exe does not display the filename if it is too
      long.  This may work to an attacker's advantage since suspicious
      filenames would be hidden from the user.

      Microsoft was notified of this issue, and a fix is available. More
      information can be found in Microsoft Security Advisory MS02-054.
      This issue has been assigned a CVE ID of CAN-2002-0370.

   Microsoft Windows ME
      Windows ME provides functionality to uncompress ZIP files
      on-the-fly, and presents them as folders that users can navigate
      through.  There exists a buffer overflow in this feature
      which may allow malicious ZIP files to be constructed that
      execute code upon access.

      Microsoft was notified of this issue, and a fix is available. More
      information can be found in Microsoft Security Advisory MS02-054.
      This issue has been assigned a CVE ID of CAN-2002-0370.


   Microsoft Windows 98 With Plus! Pack
      Windows 98 provides functionality to uncompress ZIP files
      on-the-fly, and presents them as folders that users can navigate
      through.  There exists a buffer overflow in this feature
      which may allow malicious ZIP files to be constructed that
      execute code upon access.

      Microsoft was notified of this issue, and a fix is available. More
      information can be found in Microsoft Security Advisory MS02-054.
      This issue has been assigned a CVE ID of CAN-2002-0370.

   Lotus Notes Client R4
      Lotus Notes Client R4 crashes when viewing certain zip files
      using the built-in attachment viewer.

      The R4 Lotus Notes client incorporated attachment viewer
      technology licensed from a third party.  Choosing "View"
      attachment will invoke the viewer, which causes the Lotus Notes
      client to crash.

      Lotus has been contacted regarding this issue.  Fix information
      is unknown.  Newer clients (R5 and R6) bundle a different
      attachment viewer (see below), which is also vulnerable.


   Lotus Notes Client R5 and R6 (pre-gold)
      Lotus Notes crashes when viewing certain zip files using the
      built-in attachment viewer.

      The R5 and R6 Lotus Notes client incorporates attachment viewer
      technology licensed from Verity, Inc.  Choosing "View"
      attachment will invoke the Verity viewer, which causes the Lotus
      Notes client to crash.

      Lotus has been contacted regarding this issue.  This issue is
      being tracked as SPR# KSPR5CJV2G.

      Lotus Notes R5.0.11 and earlier are vulnerable.  Lotus plans to
      fix this issue in the next maintenance release of R5.

      All pre-Gold versions of Lotus Notes R6 are vulnerable. Lotus
      has included the fix in R6 Gold and higher.


   Verity KeyView viewing SDK
      Products based on Verity, Inc.'s KeyView SDK may crash on
      specially crafted files.

      Verity has been contacted regarding this issue.  Verity has
      produced a fix to SDK v7.0 which is available to SDK customers
      via Verity technical support.  They are tracking this as bug
      number 76316.

      Since the Verity SDK is licensed by many different vendors,
      concerned customers should obtain a fix directly from their
      vendor, rather than contacting Verity directly.


   Aladdin Stuffit Expander (all platforms)
      Aladdin Stuffit Expander versions prior to 7.0 may crash on
      specially crafted zip files.

      Aladdin Systems, Inc. has been contacted regarding this issue.
      Newer versions of Stuffit Expander are believed NOT to be
      vulnerable.  Please see http://www.stuffit.com/expander/cert.html
      for upgrade instructions and more information.

4. Solution

   Obtain a fix from your vendor.

5. Detailed analysis

   The ZIP file format reserves two bytes to indicate the length of
   an entry filename, which allows entry names of up to 65,535
   characters.

   Many vendors have been tested and notified.  Many products whose
   primary purpose has nothing to do with compression contain ZIP
   processing functionality for one reason or another.  Some examples
   include virus scanners, content scanning email gateways, "skinnable"
   products whose skins are packaged in the ZIP format, and so on.

   The original Info-ZIP public domain source code and its derivatives
   (zlib, etc.) do not appear to be vulnerable.  However, we noticed
   crashes in several Info-ZIP derived products -- the crashes
   typically occurred in the user interface code, rather than the core
   ZIP processing routines.

   To facilitate testing efforts by vendors and customers, we have made
   several example ZIP files available on our website.  Anyone may
   download these files from http://www.rapid7.com/SecurityResearch.html
   after agreeing to our terms of use.

6. Contact Information

   Rapid 7 Security Advisories
   Email:   advisory () rapid7 com
   Web:     http://www.rapid7.com/
   Phone:   +1 (212) 558-8700

7. Disclaimer and Copyright

   Rapid 7, Inc. is not responsible for the misuse of the information
   provided in our security advisories. These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information. Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2002 Rapid 7, Inc.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.  This advisory may not be printed or distributed
   in non-electronic media without the express written permission
   of Rapid 7, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9m8P8cL76DCfug6wRArAYAJ9OYL+rcgCSkphJ2fDMjdmcg1ezUQCgudP7
LhQHemgU/hlxnXpiPp7cu5g=
=qcmV
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • R7-0004: Multiple Vendor Long ZIP Entry Filename Processing bugtraq-return-6791 (Oct 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]