Full Disclosure: [CORELAN-10-016] - Ken Ward Zipper .zip 0day Stack BOF

[Security <security () corelan be>]

|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security () corelan be |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory        : CORELAN-10-016
Disclosure date : March 23rd, 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-016



0x00 : Vulnerability information
--------------------------------

    Product : Ken Ward's Zipper
    Version : 4.60.019
    Vendor/Author : Leung Yat Chun Joseph
    URL : http://www.trans4mind.com/personal_development/zipper/
    Platform : Windows (Tested on XP SP3 fully patched, inside VirtualBox)
    Type of vulnerability : Stack Buffer Overflow
    Risk rating : Medium
    Issue fixed in version : <not fixed>
    Vulnerability discovered by : corelanc0d3r
    Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/


0x01 : Vendor description of software
-------------------------------------
> From the vendor website:
"Zipper is a free compression program, and you don't need to pay anything for it. It doesn't contain pop-up ads or 
other annoying things. However, Zipper isn't free to maintain and wasn't free to create, because it contains commercial 
components, and was build with programming software."



0x02 : Vulnerability details
----------------------------
In order for the vulnerability to be triggered, a user must be tricked into opening a specially crafted zip file from 
within the application, and double click on a filename inside the zip file, in an attempt to extract/view it.

After roughly 1022 bytes in the filename buffer, the exception handler was overwritten, allowing an attacker to take 
full control over the application flow, inject and execute arbitrary code on the machine. 

The discovered vulnerability allows an attacker to execute arbitrary code within the context of the currently logged on 
user.


0x03 : Vendor communication
---------------------------
    March 16 : Author contacted
    March 19 : Sent reminder
    March 23 : No answer, Public disclosure


0x04 : Exploit/PoC
------------------
A detailed write-up about the process to build the exploit for this vulnerability will be posted on www.abysssec.com on 
march 23rd, 2010
(afternoon - GMT+1)

Stay tuned  (https://twitter.com/corelanc0d3r)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/