28371 : Compression Plus CP5DLL32.DLL ZOO Archive Header Processing Overflow
Printer | http://osvdb.org/28371 | Email This | Edit Vulnerability

Views This Week

4

Views All Time

58

Info

Last Modified

6 months ago

Percent Complete

100%

Disclosure

Aug 31, 2006

Discovery

Jul 12, 2006

Dates

Exploit

Unknown

Solution

Unknown

Description

A remote overflow exists in Compression Plus. The product fails to handle the processing of ZOO archives causing an error in 'CP5DLL32.DLL' library resulting in a stack-based overflow. With a specially crafted request, an attacker can execute arbitrary code via a malicious ZOO archive with an overly large size field in the header resulting in a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, BeCubed Software and Tumbleweed have released a patch to address this vulnerability.

Products

BeCubed Software, Inc.

Compression Plus

5.0

Vcom

PowerDesk Pro

6.0.1.3

Canyon Software	Drag And Zip	3.5b
Canyon Software	Power File Gold	1.12

Tumbleweed

Tumbleweed EMF

6.0

References

FrSIRT Advisory: ADV-2006-3428 ADV-2006-3429 ADV-2006-3437 ADV-2006-3438 ADV-2006-3439
Bugtraq ID: 19796
Other Advisory URL: http://www.mnin.org/advisories/2006_cp5_tweed.pdf
ISS X-Force ID: 28693
Secunia Advisory ID: 21714 21718 21720 21750 21751
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-08/0829.html
CVE ID: 2006-4554 (see also: NVD)
Vendor URL: http://www.becubed.com/compression.htm

Tools & Filters

Nessus	22308

Credit

Michael Ligh - michael.lighmnin.org -
Greg Sinclair - gssinclannlsoftware.com -
Amanda Wright - advisoriesladybugz.net -

Blogs

Provided by Technorati

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

User Status

Account
- Login
- Sign-Up

Quick Searches

Advertisements

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

© Copyright 2008 Open Source Vulnerability Database (OSVDB), All Rights Reserved.
Privacy Statement - Terms of Use