Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0633 -- [Win][Appliance]
Compression Plus and Tumbleweed EMF Stack Overflow Security Advisory
5 September 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Compression Plus
Tumbleweed EMF
PowerDesk Pro
Drag and Zip, Power File, and Power File Gold
Publisher: Mnin.org
Operating System: Network Appliance
Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
Original Bulletin: http://www.mnin.org/advisories/2006_cp5_tweed.pdf
- --------------------------BEGIN INCLUDED TEXT--------------------
Compression Plus and Tumbleweed EMF
Stack Overflow Security Advisory
Summary
The Compression Plus library is designed to handle de/compression of popular
archiving formats such as ARC, ARK, PAK, ARJ, CAB, GZ, LBR, TAR, TAZ, TGZ, Z,
ZIP, and ZOO. The code fails to properly validate input while processing
specially crafted ZOO files, which results in a stack-based buffer overflow.
Software products that implement the Compression Plus library are vulnerable to
local or remote code execution, depending on the nature of the calling process.
Affected Software
Due to the modular nature and availability of the Compression Plus code, any
programs which load the library and call its ZOO-processing exports are
affected by this vulnerability. Exploits have been tested successfully on the
following products; however the list is not exhaustive.
Software Title Version(s) Vendor & Product URL Perspective
Compression Plus All versions BeCubed Software N/A
Tumbleweed EMF All versions Tumbleweed Communications Remote
PowerDesk Pro All versions VCOM/Ontrack Local
Drag and Zip, Power All versions Canyon Software Local
File, and Power
File Gold
Impact
Arbitrary code can be executed on vulnerable systems with a privilege level
equal to the calling process, which by default is SYSTEM on Tumbleweed EMF
servers. For all others, an attackers code will run with the privileges of the
current logged-in user.
Credit and Contact
Michael Ligh michael.ligh@mnin.org
Greg Sinclair gssincla@nnlsoftware.com
Amanda Wright advisories@ladybugz.net
Exploit Design
There are several factors of this vulnerability that not only increase the
simplicity of exploiting affected software, but make it more difficult for a
defender to detect or trace the attack. As a result, exploitation can be
conducted with high reliability and with little chance of IDS or IPS
intervention.
An attacker can supply up to 32KB of custom shell code or any combination of
shell code plus binary data (e.g. an additional trojan program) to be executed
on the target. There are no limitations involving NULL bytes in the payload.
Furthermore, control over EIP can be gained without hard coding addresses on
the stack or using NOP instruction sleds.
The specially crafted ZOO files retain compliance with legitimate ZOO file
format, so IDS signatures based on protocol anomalies or specific header values
will not be sufficient for detection. Email attachment and HTTP/FTP download
filtering based on file extension is also not applicable, because the
vulnerability is not extension-specific.
The traceability of an attackers actions can be influenced by routing malicious
ZOO files through a series of open SMTP proxies. With the exception of
Tumbleweed EMF, which does not require any user interaction to successfully
exploit, an attacker would need to convince recipients to open/decompress the
ZOO file from within a vulnerable program.
Details
This vulnerability exists because the nNumberOfBytesToRead parameter to
ReadFile() is obtained from user-supplied data and there is no check to see if
its length exceeds the size of the destination buffer. A value as high as 7FFFh
can be passed to ReadFile(), however one must only specify 39Ch bytes to
overwrite the functions return pointer on the stack. The following code from a
Compression Plus library is shown below to illustrate the vulnerability.
.text:1040A71B movsx eax, word ptr [ebp+ZooHeader+24h]
.text:1040A71F push eax ; nNumberOfBytesToRead
.text:1040A720 lea eax, [ebp+var_394]
.text:1040A726 push eax ; lpBuffer
.text:1040A727 push [ebp+ZooHeader+88h]
.text:1040A72A call _ReadFileWrapper
Remediation
The code should verify that the user-supplied dword at ZooHeader+24h is not
larger than the number of bytes reserved for the destination buffer. BeCubed
Software has released an updated Compression Plus DLL that complies with this
remediation technique. The fix can be obtained from
http://www.becubed.com/support.htm. In addition, the Tumbleweed Hotfix can be
obtained from https://kb1.tumbelweed.com/article.asp?article=4175&p=2.
Event Timeline
Jul 12, 2006 Began research and testing
Jul 25, 2006 Advisory drafted
Jul 26, 2006 Primary vendor (BeCubed) contacted
Aug 01, 2006 Primary vendor released a fixed DLL
Aug 01, 2006 Secondary vendor(s) contacted
Aug 22, 2006 Tumbleweed releases Hotfix for EMF 6.2.2
Attributions
The scared Scooby Doo image was taken from:
http://www.jecolorie.com.
The code snippet was extracted from the disassembly pane of IDA Pro:
http://www.datarescue.com
License
This work is licensed under the Creative Commons Attribution 2.5 License. To
view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/
or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San
Francisco, California, 94105, USA.
Attribution should be provided both in the form of a link or reference to
http://www.mnin.org and a copy of the researchers names listed under the Credit
and Contact section of this document.
All other trademarks and copyrights referenced in this document are the
property of their respective owners.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRP0Twih9+71yA2DNAQKwZgP7BANDcuNCRIu+tAQMfdhoHQ5Sc1Y3o5Ll
eiEiSio3IvzcG09sp9/cKjIH9zgeH1EntoFqKKpbx5OTJEcEcyaYJxW7yCNhhoqz
I4k4MK+Gk5hND8hy93cpxtKu6XZpRRed6vP0j3HOQPceuIzDJAC+PPlB8ehdaZIQ
Am9P6rR9De0=
=i9CG
-----END PGP SIGNATURE-----