Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0633 -- [Win][Appliance] Compression Plus and Tumbleweed EMF Stack Overflow Security Advisory 5 September 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Compression Plus Tumbleweed EMF PowerDesk Pro Drag and Zip, Power File, and Power File Gold Publisher: Mnin.org Operating System: Network Appliance Windows Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated Original Bulletin: http://www.mnin.org/advisories/2006_cp5_tweed.pdf - --------------------------BEGIN INCLUDED TEXT-------------------- Compression Plus and Tumbleweed EMF Stack Overflow Security Advisory Summary The Compression Plus library is designed to handle de/compression of popular archiving formats such as ARC, ARK, PAK, ARJ, CAB, GZ, LBR, TAR, TAZ, TGZ, Z, ZIP, and ZOO. The code fails to properly validate input while processing specially crafted ZOO files, which results in a stack-based buffer overflow. Software products that implement the Compression Plus library are vulnerable to local or remote code execution, depending on the nature of the calling process. Affected Software Due to the modular nature and availability of the Compression Plus code, any programs which load the library and call its ZOO-processing exports are affected by this vulnerability. Exploits have been tested successfully on the following products; however the list is not exhaustive. Software Title Version(s) Vendor & Product URL Perspective Compression Plus All versions BeCubed Software N/A Tumbleweed EMF All versions Tumbleweed Communications Remote PowerDesk Pro All versions VCOM/Ontrack Local Drag and Zip, Power All versions Canyon Software Local File, and Power File Gold Impact Arbitrary code can be executed on vulnerable systems with a privilege level equal to the calling process, which by default is SYSTEM on Tumbleweed EMF servers. For all others, an attackers code will run with the privileges of the current logged-in user. Credit and Contact Michael Ligh michael.ligh@mnin.org Greg Sinclair gssincla@nnlsoftware.com Amanda Wright advisories@ladybugz.net Exploit Design There are several factors of this vulnerability that not only increase the simplicity of exploiting affected software, but make it more difficult for a defender to detect or trace the attack. As a result, exploitation can be conducted with high reliability and with little chance of IDS or IPS intervention. An attacker can supply up to 32KB of custom shell code or any combination of shell code plus binary data (e.g. an additional trojan program) to be executed on the target. There are no limitations involving NULL bytes in the payload. Furthermore, control over EIP can be gained without hard coding addresses on the stack or using NOP instruction sleds. The specially crafted ZOO files retain compliance with legitimate ZOO file format, so IDS signatures based on protocol anomalies or specific header values will not be sufficient for detection. Email attachment and HTTP/FTP download filtering based on file extension is also not applicable, because the vulnerability is not extension-specific. The traceability of an attackers actions can be influenced by routing malicious ZOO files through a series of open SMTP proxies. With the exception of Tumbleweed EMF, which does not require any user interaction to successfully exploit, an attacker would need to convince recipients to open/decompress the ZOO file from within a vulnerable program. Details This vulnerability exists because the nNumberOfBytesToRead parameter to ReadFile() is obtained from user-supplied data and there is no check to see if its length exceeds the size of the destination buffer. A value as high as 7FFFh can be passed to ReadFile(), however one must only specify 39Ch bytes to overwrite the functions return pointer on the stack. The following code from a Compression Plus library is shown below to illustrate the vulnerability. .text:1040A71B movsx eax, word ptr [ebp+ZooHeader+24h] .text:1040A71F push eax ; nNumberOfBytesToRead .text:1040A720 lea eax, [ebp+var_394] .text:1040A726 push eax ; lpBuffer .text:1040A727 push [ebp+ZooHeader+88h] .text:1040A72A call _ReadFileWrapper Remediation The code should verify that the user-supplied dword at ZooHeader+24h is not larger than the number of bytes reserved for the destination buffer. BeCubed Software has released an updated Compression Plus DLL that complies with this remediation technique. The fix can be obtained from http://www.becubed.com/support.htm. In addition, the Tumbleweed Hotfix can be obtained from https://kb1.tumbelweed.com/article.asp?article=4175&p=2. Event Timeline Jul 12, 2006 Began research and testing Jul 25, 2006 Advisory drafted Jul 26, 2006 Primary vendor (BeCubed) contacted Aug 01, 2006 Primary vendor released a fixed DLL Aug 01, 2006 Secondary vendor(s) contacted Aug 22, 2006 Tumbleweed releases Hotfix for EMF 6.2.2 Attributions The scared Scooby Doo image was taken from: http://www.jecolorie.com. The code snippet was extracted from the disassembly pane of IDA Pro: http://www.datarescue.com License This work is licensed under the Creative Commons Attribution 2.5 License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. Attribution should be provided both in the form of a link or reference to http://www.mnin.org and a copy of the researchers names listed under the Credit and Contact section of this document. All other trademarks and copyrights referenced in this document are the property of their respective owners. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRP0Twih9+71yA2DNAQKwZgP7BANDcuNCRIu+tAQMfdhoHQ5Sc1Y3o5Ll eiEiSio3IvzcG09sp9/cKjIH9zgeH1EntoFqKKpbx5OTJEcEcyaYJxW7yCNhhoqz I4k4MK+Gk5hND8hy93cpxtKu6XZpRRed6vP0j3HOQPceuIzDJAC+PPlB8ehdaZIQ Am9P6rR9De0= =i9CG -----END PGP SIGNATURE-----