From advisory@rapid7.com Fri Oct 4 02:16:16 2002 From: Rapid 7 Security Advisories To: full-disclosure@lists.netsys.com Date: Wed, 2 Oct 2002 22:30:35 -0700 Subject: [Full-Disclosure] R7-0004: Multiple Vendor Long ZIP Entry Filename Processing Issues -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid 7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose(tm), our advanced vulnerability scanner. Linux and Windows 2000 versions are available now! _______________________________________________________________________ Rapid 7 Advisory R7-0004 Multiple Vendor Long ZIP Entry Filename Processing Issues Published: October 2, 2002 Revision: 1.0 http://www.rapid7.com/advisories/R7-0004.txt CERT: CERT Vulnerability Note VU#383779 http://www.kb.cert.org/vuls/id/383779 Microsoft: Microsoft Security Advisory MS02-054 http://www.microsoft.com/technet/security/bulletin/MS02-054.asp CVE: CAN-2002-0370 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0370 1. Affected system(s): Several different vendors and products were tested. Many were found to be vulnerable. A partial list of affected vendors follows. Detailed results for many vendors are being withheld pending their response to the issues described in this advisory. We encourage customers to engage your vendors on this issue if you have any questions regarding their handling of specially crafted ZIP files. For an up-to-date list of vendor statements, see CERT Vulnerability Note VU#383779. KNOWN VULNERABLE: o Microsoft Windows XP o Microsoft Windows ME o Microsoft Windows 98 With Plus! Pack o Lotus Notes R4 o Lotus Notes R5 o Lotus Notes R6 (pre-gold) o Verity, Inc. KeyView viewing SDK o Aladdin Systems Stuffit Expander (pre 7.0) Apparently NOT VULNERABLE: o WinRAR is believed to be NOT vulnerable o WinZip 8.x is believed to be NOT vulnerable o zlib is believed to be NOT vulnerable 2. Summary Products and libraries from multiple vendors are deficient in their handling of zip files having entries with long filenames. Typically, opening and/or processing these crafted zip files will result in the program crashing or exhibiting unpredictable behavior. There is a possibility of arbitrary code execution, but no exploits are known at this time. 3. Vendor status and information This is a partial list of affected products and vendors. We will update our advisory as we get feedback from more vendors. You may check back with us at ( http://www.rapid7.com/SecurityResearch.html ). Microsoft Windows XP Explorer.exe crashes when navigating through specially crafted ZIP files. The shell (Explorer.exe) in Windows XP provides functionality to uncompress ZIP files on-the-fly, and presents them as folders that users can navigate through. There exists a buffer overflow in this feature which may allow malicious ZIP files to be constructed that execute code upon access. It should be noted that Explorer.exe does not display the filename if it is too long. This may work to an attacker's advantage since suspicious filenames would be hidden from the user. Microsoft was notified of this issue, and a fix is available. More information can be found in Microsoft Security Advisory MS02-054. This issue has been assigned a CVE ID of CAN-2002-0370. Microsoft Windows ME Windows ME provides functionality to uncompress ZIP files on-the-fly, and presents them as folders that users can navigate through. There exists a buffer overflow in this feature which may allow malicious ZIP files to be constructed that execute code upon access. Microsoft was notified of this issue, and a fix is available. More information can be found in Microsoft Security Advisory MS02-054. This issue has been assigned a CVE ID of CAN-2002-0370. Microsoft Windows 98 With Plus! Pack Windows 98 provides functionality to uncompress ZIP files on-the-fly, and presents them as folders that users can navigate through. There exists a buffer overflow in this feature which may allow malicious ZIP files to be constructed that execute code upon access. Microsoft was notified of this issue, and a fix is available. More information can be found in Microsoft Security Advisory MS02-054. This issue has been assigned a CVE ID of CAN-2002-0370. Lotus Notes Client R4 Lotus Notes Client R4 crashes when viewing certain zip files using the built-in attachment viewer. The R4 Lotus Notes client incorporated attachment viewer technology licensed from a third party. Choosing "View" attachment will invoke the viewer, which causes the Lotus Notes client to crash. Lotus has been contacted regarding this issue. Fix information is unknown. Newer clients (R5 and R6) bundle a different attachment viewer (see below), which is also vulnerable. Lotus Notes Client R5 and R6 (pre-gold) Lotus Notes crashes when viewing certain zip files using the built-in attachment viewer. The R5 and R6 Lotus Notes client incorporates attachment viewer technology licensed from Verity, Inc. Choosing "View" attachment will invoke the Verity viewer, which causes the Lotus Notes client to crash. Lotus has been contacted regarding this issue. This issue is being tracked as SPR# KSPR5CJV2G. Lotus Notes R5.0.11 and earlier are vulnerable. Lotus plans to fix this issue in the next maintenance release of R5. All pre-Gold versions of Lotus Notes R6 are vulnerable. Lotus has included the fix in R6 Gold and higher. Verity KeyView viewing SDK Products based on Verity, Inc.'s KeyView SDK may crash on specially crafted files. Verity has been contacted regarding this issue. Verity has produced a fix to SDK v7.0 which is available to SDK customers via Verity technical support. They are tracking this as bug number 76316. Since the Verity SDK is licensed by many different vendors, concerned customers should obtain a fix directly from their vendor, rather than contacting Verity directly. Aladdin Stuffit Expander (all platforms) Aladdin Stuffit Expander versions prior to 7.0 may crash on specially crafted zip files. Aladdin Systems, Inc. has been contacted regarding this issue. Newer versions of Stuffit Expander are believed NOT to be vulnerable. Please see http://www.stuffit.com/expander/cert.html for upgrade instructions and more information. 4. Solution Obtain a fix from your vendor. 5. Detailed analysis The ZIP file format reserves two bytes to indicate the length of an entry filename, which allows entry names of up to 65,535 characters. Many vendors have been tested and notified. Many products whose primary purpose has nothing to do with compression contain ZIP processing functionality for one reason or another. Some examples include virus scanners, content scanning email gateways, "skinnable" products whose skins are packaged in the ZIP format, and so on. The original Info-ZIP public domain source code and its derivatives (zlib, etc.) do not appear to be vulnerable. However, we noticed crashes in several Info-ZIP derived products -- the crashes typically occurred in the user interface code, rather than the core ZIP processing routines. To facilitate testing efforts by vendors and customers, we have made several example ZIP files available on our website. Anyone may download these files from http://www.rapid7.com/SecurityResearch.html after agreeing to our terms of use. 6. Contact Information Rapid 7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid 7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. This advisory may not be printed or distributed in non-electronic media without the express written permission of Rapid 7, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE9m8P8cL76DCfug6wRArAYAJ9OYL+rcgCSkphJ2fDMjdmcg1ezUQCgudP7 LhQHemgU/hlxnXpiPp7cu5g= =qcmV -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html