Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                     ESB-2006.0633 -- [Win][Appliance]
   Compression Plus and Tumbleweed EMF Stack Overflow Security Advisory
                             5 September 2006


        AusCERT Security Bulletin Summary

Product:              Compression Plus
                      Tumbleweed EMF
                      PowerDesk Pro 
                      Drag and Zip, Power File, and Power File Gold
Publisher:            Mnin.org
Operating System:     Network Appliance
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated

Original Bulletin:    http://www.mnin.org/advisories/2006_cp5_tweed.pdf

- --------------------------BEGIN INCLUDED TEXT--------------------

Compression Plus and Tumbleweed EMF
Stack Overflow Security Advisory


The Compression Plus library is designed to handle de/compression of popular
archiving formats such as ARC, ARK, PAK, ARJ, CAB, GZ, LBR, TAR, TAZ, TGZ, Z,
ZIP, and ZOO. The code fails to properly validate input while processing
specially crafted ZOO files, which results in a stack-based buffer overflow.
Software products that implement the Compression Plus library are vulnerable to
local or remote code execution, depending on the nature of the calling process.

Affected Software

Due to the modular nature and availability of the Compression Plus code, any
programs which load the library and call its ZOO-processing exports are
affected by this vulnerability. Exploits have been tested successfully on the
following products; however the list is not exhaustive.

Software Title       Version(s)    Vendor & Product URL       Perspective
Compression Plus     All versions  BeCubed Software           N/A
Tumbleweed EMF       All versions  Tumbleweed Communications  Remote
PowerDesk Pro        All versions  VCOM/Ontrack               Local
Drag and Zip, Power  All versions  Canyon Software            Local
File, and Power 
File Gold


Arbitrary code can be executed on vulnerable systems with a privilege level
equal to the calling process, which by default is SYSTEM on Tumbleweed EMF
servers. For all others, an attackers code will run with the privileges of the
current logged-in user.

Credit and Contact

Michael Ligh    michael.ligh@mnin.org
Greg Sinclair   gssincla@nnlsoftware.com
Amanda Wright   advisories@ladybugz.net

Exploit Design

There are several factors of this vulnerability that not only increase the
simplicity of exploiting affected software, but make it more difficult for a
defender to detect or trace the attack. As a result, exploitation can be
conducted with high reliability and with little chance of IDS or IPS

An attacker can supply up to 32KB of custom shell code or any combination of
shell code plus binary data (e.g. an additional trojan program) to be executed
on the target. There are no limitations involving NULL bytes in the payload.
Furthermore, control over EIP can be gained without hard coding addresses on
the stack or using NOP instruction sleds.

The specially crafted ZOO files retain compliance with legitimate ZOO file
format, so IDS signatures based on protocol anomalies or specific header values
will not be sufficient for detection. Email attachment and HTTP/FTP download
filtering based on file extension is also not applicable, because the
vulnerability is not extension-specific.

The traceability of an attackers actions can be influenced by routing malicious
ZOO files through a series of open SMTP proxies. With the exception of
Tumbleweed EMF, which does not require any user interaction to successfully
exploit, an attacker would need to convince recipients to open/decompress the
ZOO file from within a vulnerable program.


This vulnerability exists because the nNumberOfBytesToRead parameter to
ReadFile() is obtained from user-supplied data and there is no check to see if
its length exceeds the size of the destination buffer. A value as high as 7FFFh
can be passed to ReadFile(), however one must only specify 39Ch bytes to
overwrite the functions return pointer on the stack. The following code from a
Compression Plus library is shown below to illustrate the vulnerability.

.text:1040A71B movsx eax, word ptr [ebp+ZooHeader+24h]
.text:1040A71F push eax ; nNumberOfBytesToRead
.text:1040A720 lea eax, [ebp+var_394]
.text:1040A726 push eax ; lpBuffer
.text:1040A727 push [ebp+ZooHeader+88h]
.text:1040A72A call _ReadFileWrapper


The code should verify that the user-supplied dword at ZooHeader+24h is not
larger than the number of bytes reserved for the destination buffer. BeCubed
Software has released an updated Compression Plus DLL that complies with this
remediation technique. The fix can be obtained from
http://www.becubed.com/support.htm. In addition, the Tumbleweed Hotfix can be
obtained from https://kb1.tumbelweed.com/article.asp?article=4175&p=2.

Event Timeline

Jul 12, 2006  Began research and testing
Jul 25, 2006  Advisory drafted
Jul 26, 2006  Primary vendor (BeCubed) contacted
Aug 01, 2006  Primary vendor released a fixed DLL
Aug 01, 2006  Secondary vendor(s) contacted
Aug 22, 2006  Tumbleweed releases Hotfix for EMF 6.2.2


The scared Scooby Doo image was taken from:
The code snippet was extracted from the disassembly pane of IDA Pro:


This work is licensed under the Creative Commons Attribution 2.5 License. To
view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/
or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San
Francisco, California, 94105, USA.

Attribution should be provided both in the form of a link or reference to
http://www.mnin.org and a copy of the researchers names listed under the Credit
and Contact section of this document.

All other trademarks and copyrights referenced in this document are the
property of their respective owners.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967