hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Windows Systems
ZmooZa
Oct 13 2004, 05:49 PM
Heya!
Just found :

http://www.eeye.com/html/research/advisori...D20041012A.html

QUOTE
Release Date:
October 12, 2004

Date Reported:
August 2, 2004

Severity:
High (Code Execution)

Vendor:
Microsoft

Systems Affected:
Windows XP (SP1 and earlier)
Windows Me

Overview:
eEye Digital Security has discovered a buffer overflow in DUNZIP32.DLL, a module that offers support for ZIP compressed folders in the Windows shell. An exploitable buffer overflow occurs when a user opens a ZIP folder that contains a long file name.

Technical Details:
This buffer overflow is triggered by an integer overflow. When a ZIP file containing a long file name (greater than around 0x8000 bytes) is opened in the Windows shell as a ZIP compressed folder, a stack-based buffer overflow occurs, allowing an exception handler to be overwritten and EIP to be hijacked.

Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/...n/MS04-034.mspx

Credit:
Discovery: Yuji Ukai

Related Links:
Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/Products/Retina/download.html

Greetings:
R.Kanai, Y.Watanabe - Welcome to eEye Japan Team, All Black Hat Japan 2004 attendees, and AV2K4 attendees.
ring0
Oct 14 2004, 01:58 PM


>---Description---
>Win xp default zip manager can't handle long file names properly...
>
>---Bug Demonstration---
>Create a new file with very long file name... in your c: [ say:
>1.111111111111111111111111111111111111111111111111111111111111111111111111
>11111111111111111111111111111111111111111111111111111111111111111111111111
>11111111111111111111111111111111111111111111111111111111111111111111111111
>11111111111111111111111111111 ]
>
>[or, download] http://www.geocities.com/visitbipin/zip_long.zip
>
>Windows xp will easily allow you to create that file, now zip the file [
>above mentioned ie 1.11111111111111111111* ] using winxp default zip
>manager, [say, the new file created is 1.zip]
>But strangely, if you open the file [1.zip] with windows explorer [ie
>view it's content] You can neither see a file name nor its extension in
>the archive but simply its icon only!
>
>Moreover, windows xp doesn't allow you to delete the long file created in
>the above example, through GUI mode [...have to use command prompt] and
>end up with an error Can't delete 1 : The folder is empty. [actually its
>a file!]

http://www.securityfocus.com/archive/1/336994


*appaulse*

before, microsoft discarded my report as a non-security issue. maybe, during those days... my english wasn't understandable ! rolleyes.gif
fulsik
Oct 15 2004, 03:44 AM
this sounds very interesting.. good find man!
woodpecker.boboo
Oct 17 2004, 06:01 PM
QUOTE(ZmooZa @ Oct 13 2004, 12:49 PM)
Heya!
Just found :

http://www.eeye.com/html/research/advisori...D20041012A.html

QUOTE
Release Date:
October 12, 2004

Date Reported:
August 2, 2004

Severity:
High (Code Execution)

Vendor:
Microsoft

Systems Affected:
Windows XP (SP1 and earlier)
Windows Me

Overview:
eEye Digital Security has discovered a buffer overflow in DUNZIP32.DLL, a module that offers support for ZIP compressed folders in the Windows shell. An exploitable buffer overflow occurs when a user opens a ZIP folder that contains a long file name.

Technical Details:
This buffer overflow is triggered by an integer overflow. When a ZIP file containing a long file name (greater than around 0x8000 bytes) is opened in the Windows shell as a ZIP compressed folder, a stack-based buffer overflow occurs, allowing an exception handler to be overwritten and EIP to be hijacked.

Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/...n/MS04-034.mspx

Credit:
Discovery: Yuji Ukai

Related Links:
Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/Products/Retina/download.html

Greetings:
R.Kanai, Y.Watanabe - Welcome to eEye Japan Team, All Black Hat Japan 2004 attendees, and AV2K4 attendees.

*



Systems Affected:
Windows XP (SP1 and earlier)
Windows Me

and
Windows 2003
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.