Next Page >>
zip file
much as was needed for the exploit to work.
3.4.2.4. zip.vim
``When one edits a *.zip file, this plugin will handle displaying a
contents page. Select a file to edit by moving the cursor atop
the desired file, then hit the <return> key. After editing, one may
also write to the file. Currently, one may not make a new file in
zip archives via the plugin.''
1) Software Description:
WinMount is an useful windows utility. It is a compression tool, also a virtual drive tool. It can compress files, decompress/ browse/convert compressed archieves, it
also can mount MOU ZIP RAR and CD DVD HDD images to a virtual disk or virtual folder. Supported formats: MOU ZIP RAR CAB ARJ ISO GZ BZ2 TAR WIM VHD VDI VMDK ISO ISZ BIN MDS/MDF NRG IMG CCD CUE APE FLAC WV.
2) Details:
A filename buffer overflow vulnerability in WinMount 3.3.0401. Poc can generate a zip file, and attackers can change the zip file into a mou file by using WinMount. Exploit successfully allows attackers to execute arbitrary code.
3) Credit:
The vulnerability was discovered by Lufeng Li
4) Timeline:
| CubilFelino Security Research Lab |
| proudly presents... |
+------------------------------------------------------------------------+
=======================================================
Security Advisory: WinRAR v3.80 - ZIP Filename Spoofing
=======================================================
Security Researcher Info:
=========================
# Overwrites ICQ.zip and updates.xml in the current directory
# without a warning!
import sys, os
from hashlib import md5
from zipfile import ZipFile, ZIP_DEFLATED
if len(sys.argv) < 2:
print "argument missing"
sys.exit(1)
VMware VirtualCenter 2.5 Update 2 build 104263
http://www.vmware.com/download/download.do?downloadGroup=VC250U2
DVD iso image
md5sum: 83de404fa073bc1fde9acd080f21e688
Zip file
md5sum: 3297f1e47c6b018ac8190f11bd022d5b
Release Notes
http://www.vmware.com/support/vi3/doc/vi3_esx35u2_vc25u2_rel_notes.html
VMware VirtualCenter 2.0.2 Update 5 build 104182
Even in presence of vulnerable antivirus software, it is possible to download
and save an EXE file to the system that would otherwise be detected as malware
and blocked. A successfully tested scenario (with NOD32) is:
- create an empty target file
- remove all permission from it, except to write/append data
- download a ZIP file containg an EXE file that is detected as
malware (the bo2k.exe
from the download package on the BO2K home page); the ZIP file triggers no
warnings from NOD32
- using standard command line tools, like unzip, split and cat,
extract the bo2k.exe
> # Overwrites ICQ.zip and updates.xml in the current directory
> # without a warning!
>
> import sys, os
> from hashlib import md5
> from zipfile import ZipFile, ZIP_DEFLATED
>
> if len(sys.argv) < 2:
> print "argument missing"
> sys.exit(1)
>
============
During a penetration test, a ZyXEL ZyWALL USG appliance was found and
tested for security vulnerabilities. The following sections first
describe, how the appliance's filesystem can be extracted from the
encrypted firmware upgrade zip files. Afterwards it is shown, how
arbitrary configuration files can be up- and downloaded from the
appliance. This way, a custom user account with a chosen password can
be added to the running appliance without the need of a reboot.
There is a vulnerability in AhnLab Antivirus, which allows an attacker
to cause a BSOD(Blue Screen Of Death), or, potentially arbitrary code execution.
This vulnerability can be exploited By persuading a user to a website.
While parsing the .ZIP file, AhnLab Antivirus Library does not
properly check the value of
certain field, thus result into a remote Kernel memory corruption.
The ZIP file format:
The security patches may be applied by following these steps:
1. If you are not already running version 3.2.6, 4.0.3 or 4.1.2,
you must upgrade to one of these versions.
2. Download the zip file containing the appropriate patch for your
version.
3. Stop the Hypric HQ server.
4. Copy the original
'hq-engine/server/default/deploy/hq.ear/hq.jar' to a safe location
outside of the Hyperic HQ installation.
Applying the security patches:
The security patches may be applied by following these steps:
1. If you are not already running version 3.2.6, 4.0.3 or 4.1.2, you
must upgrade to one of these versions.
2. Download the zip file containing the appropriate patch for your version.
3. Stop the Hypric HQ server.
4. Copy the original hq-engine/server/default/deploy/hq.ear/hq.jar to a
safe location outside of the Hyperic HQ installation
5. Copy the original
hq-engine/server/default/deploy/hq.ear/hq.war/WEB-INF/lib/hq_jsp.jar to
Applying the security patches:
The security patches may be applied by following these steps:
1. If you are not already running version 3.2.6, 4.0.3 or 4.1.2, you
must upgrade to one of these versions.
2. Download the zip file containing the appropriate patch for your version.
3. Stop the Hypric HQ server.
4. Copy the original hq-engine/server/default/deploy/hq.ear/hq.jar to a
safe location outside of the Hyperic HQ installation
5. Copy the original
hq-engine/server/default/deploy/hq.ear/hq.war/WEB-INF/lib/hq_jsp.jar to
Hi,
Recently on opening one of my site,my antivirus pops up saying that it
has found on malicious script.the url is random and i have managed to
get tht script.it is using some flaw in apple quick time.
u can get the zip file for java script here:
http://secgeeks.com/what.zip
password is 12345
can somebody guide/help me what is this and how can i remove it?
--
---> >
---> > --->
---> > ---> Recently on opening one of my site,my antivirus pops up saying that it
---> > ---> has found on malicious script.the url is random and i have managed to
---> > ---> get tht script.it is using some flaw in apple quick time.
---> > ---> u can get the zip file for java script here:
---> > ---> http://secgeeks.com/what.zip
---> > ---> password is 12345
---> > ---> can somebody guide/help me what is this and how can i remove it?
---> > --->
---> > ---> --
-------------
VMware VirtualCenter 2.5 Update 4
www.vmware.com/download/download.do
DVD iso image
md5sum: 4304334ed7662b6a43646e6dde0956d2
Zip file
md5sum: 1306cb9b25e28a06bab84257d7cbf38f
Release Notes
www.vmware.com/support/vi3/doc/vi3_vc25u4_rel_notes.html
It was discovered that Java2D did not properly check graphics
rendering objects before passing them to the native renderer.
This could lead to JVM crash or Java sandbox bypass.
CVE-2012-0501
The ZIP central directory parser used by java.util.zip.ZipFile
entered an infinite recursion in native code when processing a
crafted ZIP file, leading to a denial of service.
CVE-2012-0502
A flaw was found in the AWT KeyboardFocusManager class that
---> Recently on opening one of my site,my antivirus pops up saying that
it
---> has found on malicious script.the url is random and i have managed
to
---> get tht script.it is using some flaw in apple quick time.
---> u can get the zip file for java script here:
---> http://secgeeks.com/what.zip
---> password is 12345
---> can somebody guide/help me what is this and how can i remove it?
--->
---> --
php-mbstring module is linked against a separate shared libmbfl
library that also have been patched to address CVE-2008-5557.
Directory traversal vulnerability in the ZipArchive::extractTo function
in PHP 5.2.6 and earlier allows context-dependent attackers to write
arbitrary files via a ZIP file with a file whose name contains .. (dot
dot) sequences. (CVE-2008-5658)
make sure the page_uid and page_gid get initialized properly in
ext/standard/basic_functions.c. Also, init server_context before
processing config variables in sapi/apache/mod_php5.c (CVE-2008-5624).
`id`='".$pid."'";
$result = run_query($query);
while ($row = mysql_fetch_assoc($result)){
$file_contents = file_get_contents("images/".$row["path"], true);
$zipfile -> add_file($file_contents, $row["path"]);
}
}
}
The above code comes from plog-download.php @ lines 285-297
Summary
-------
The function countCENHeaders() in zip_util.c of the java.util.zip
implementation contains an off-by-one bug. The bug can be exploited via
corrupted ZIP files to cause an endless recursion. The endless recursion
results in a segmentation fault of the JVM.
The following assessment is based on the JDK sources available from
Oracle's website (jdk-6u23-fcs-src-b05-jrl-12_nov_2010.jar).
cmp = (flags & ZIP_FL_NOCASE) ? strcasecmp : strcmp;
n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <= CRASH HERE
-lib/zip_name_locate.c---
for empty zip file and ZIP_FL_UNCHANGED flag, libzip should crash. Currently for PHP, the security impact we estimate only like a remote DoS, so risk is low.
Project using libzip: KDE Utilities (4.x branch), MySQL Workbench, ckmame, fuse-zip, php zip extension, Endeavour2, FreeDink
Better analysis based on PHP code ZipArchive, bellow
-------------
VMware VirtualCenter 2.5 Update 4
http://www.vmware.com/download/download.do?downloadGroup=VC250U4
DVD iso image
md5sum: 4304334ed7662b6a43646e6dde0956d2
Zip file
md5sum: 1306cb9b25e28a06bab84257d7cbf38f
Release Notes
http://www.vmware.com/support/vi3/doc/vi3_vc25u4_rel_notes.html
5. References
> > Hi,
> >
> > Recently on opening one of my site,my antivirus pops up saying that it
> > has found on malicious script.the url is random and i have managed to
> > get tht script.it is using some flaw in apple quick time.
> > u can get the zip file for java script here:
> > http://secgeeks.com/what.zip
> > password is 12345
> > can somebody guide/help me what is this and how can i remove it?
> >
> > --
cfcf> Hi,
cfcf> Recently on opening one of my site,my antivirus pops up saying that it
cfcf> has found on malicious script.the url is random and i have managed to
cfcf> get tht script.it is using some flaw in apple quick time.
cfcf> u can get the zip file for java script here:
cfcf> http://secgeeks.com/what.zip
cfcf> password is 12345
cfcf> can somebody guide/help me what is this and how can i remove it?
File size: 854 MB
File type: .iso
md5sum: d83b09ac0533a418d5b7f5493dbd3ed3
sha1sum: 1b969b397a937402b5e9463efc767eff7a980ad0
VirtualCenter as a Zip file - English only version
File size: 625 MB
File type: .zip
md5sum: 760f335ebcd363e0e159b20da923621f
sha1sum: e400bc1008d1e4c44d204a8135293b8ae305f14e
> Hi,
>
> Recently on opening one of my site,my antivirus pops up saying that it
> has found on malicious script.the url is random and i have managed to
> get tht script.it is using some flaw in apple quick time.
> u can get the zip file for java script here:
> http://secgeeks.com/what.zip
> password is 12345
> can somebody guide/help me what is this and how can i remove it?
I did not look at the malware, but it is pretty obvious you have been
> Hi,
>
> Recently on opening one of my site,my antivirus pops up saying that it
> has found on malicious script.the url is random and i have managed to
> get tht script.it is using some flaw in apple quick time.
> u can get the zip file for java script here:
> http://secgeeks.com/what.zip
> password is 12345
> can somebody guide/help me what is this and how can i remove it?
>
> --
---> Hi,
--->
---> Recently on opening one of my site,my antivirus pops up saying that it
---> has found on malicious script.the url is random and i have managed to
---> get tht script.it is using some flaw in apple quick time.
---> u can get the zip file for java script here:
---> http://secgeeks.com/what.zip
---> password is 12345
---> can somebody guide/help me what is this and how can i remove it?
--->
---> --
---> ---> Recently on opening one of my site,my antivirus pops up saying that
---> it
---> ---> has found on malicious script.the url is random and i have managed
---> to
---> ---> get tht script.it is using some flaw in apple quick time.
---> ---> u can get the zip file for java script here:
---> ---> http://secgeeks.com/what.zip
---> ---> password is 12345
---> ---> can somebody guide/help me what is this and how can i remove it?
---> --->
---> ---> --
Impact
======
Remote attackers could entice a user or automated system to open a
specially crafted ZIP file that might lead to the execution of
arbitrary code or a Denial of Service.
Workaround
==========
Next Page>>
|
