Vulnerabilities > CVE-2016-2335 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The CInArchive::ReadFileItem method in Archive/Udf/UdfIn.cpp in 7zip 9.20 and 15.05 beta and p7zip allows remote attackers to cause a denial of service (out-of-bounds read) or execute arbitrary code via the PartitionRef field in the Long Allocation Descriptor in a UDF file.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 1 | |
OS | 2 | |
Application | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3599.NASL description Marcin last seen 2020-06-01 modified 2020-06-02 plugin id 91549 published 2016-06-10 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91549 title Debian DSA-3599-1 : p7zip - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3599. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(91549); script_version("2.12"); script_cvs_date("Date: 2018/11/10 11:49:37"); script_cve_id("CVE-2016-2335"); script_xref(name:"DSA", value:"3599"); script_name(english:"Debian DSA-3599-1 : p7zip - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Marcin 'Icewall' Noga of Cisco Talos discovered an out-of-bound read vulnerability in the CInArchive::ReadFileItem method in p7zip, a 7zr file archiver with high compression ratio. A remote attacker can take advantage of this flaw to cause a denial-of-service or, potentially the execution of arbitrary code with the privileges of the user running p7zip, if a specially crafted UDF file is processed." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824160" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/p7zip" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2016/dsa-3599" ); script_set_attribute( attribute:"solution", value: "Upgrade the p7zip packages. For the stable distribution (jessie), this problem has been fixed in version 9.20.1~dfsg.1-4.1+deb8u2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:p7zip"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"patch_publication_date", value:"2016/06/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"p7zip", reference:"9.20.1~dfsg.1-4.1+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"p7zip-full", reference:"9.20.1~dfsg.1-4.1+deb8u2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3913-1.NASL description It was discovered that p7zip did not correctly handle certain malformed archives. If a user or automated system were tricked into processing a specially crafted archive with p7zip, then p7zip could be made to crash, possibly leading to arbitrary code execution. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 123074 published 2019-03-25 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123074 title Ubuntu 16.04 LTS : p7zip vulnerabilities (USN-3913-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_D706A3A34A7C11E697F75453ED2E2B49.NASL description Cisco Talos reports : An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files. Central to 7-Zip last seen 2020-06-01 modified 2020-06-02 plugin id 92346 published 2016-07-18 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92346 title FreeBSD : p7zip -- out-of-bounds read vulnerability (d706a3a3-4a7c-11e6-97f7-5453ed2e2b49) NASL family Fedora Local Security Checks NASL id FEDORA_2016-BBCB0E4EB4.NASL description Update p7zip to 16.02 and fix security issues for CVE-2016-2335, CVE-2016-2334 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-21 plugin id 92477 published 2016-07-21 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92477 title Fedora 24 : p7zip (2016-bbcb0e4eb4) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-673.NASL description This update for p7zip fixes the following issues : - add p7zip-9.20.1-CVE-2016-2335.patch to fix 7zip UDF CInArchive::ReadFileItem code execution vulnerability [boo#979823], [CVE-2016-2335] last seen 2020-06-05 modified 2016-06-06 plugin id 91484 published 2016-06-06 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91484 title openSUSE Security Update : p7zip (openSUSE-2016-673) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-510.NASL description Marcin last seen 2020-03-17 modified 2016-06-14 plugin id 91574 published 2016-06-14 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91574 title Debian DLA-510-1 : p7zip security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-890.NASL description fix 7zip UDF CInArchive::ReadFileItem code execution vulnerability [boo#979823],[CVE-2016-2335] last seen 2020-06-05 modified 2016-07-22 plugin id 92507 published 2016-07-22 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/92507 title openSUSE Security Update : p7zip (openSUSE-2016-890) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1593-1.NASL description This update for p7zip fixes the following issues : - add p7zip-9.20.1-CVE-2016-2335.patch to fix 7zip UDF CInArchive::ReadFileItem code execution vulnerability [bsc#979823], [CVE-2016-2335] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 91668 published 2016-06-17 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91668 title SUSE SLED12 / SLES12 Security Update : p7zip (SUSE-SU-2016:1593-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201701-27.NASL description The remote host is affected by the vulnerability described in GLSA-201701-27 (7-Zip: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in 7-Zip. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to open a specially crafted archive file possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96421 published 2017-01-12 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96421 title GLSA-201701-27 : 7-Zip: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2016-430BC0F808.NASL description Update p7zip to 16.02 and fix security issues for CVE-2016-2335, CVE-2016-2334 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-08-02 plugin id 92669 published 2016-08-02 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92669 title Fedora 23 : p7zip (2016-430bc0f808) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-771.NASL description This update for p7zip fixes one security issue. This security issue was fixed : - CVE-2016-2335: UDF CInArchive::ReadFileItem code execution vulnerability (bsc#979823) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2016-06-28 plugin id 91867 published 2016-06-28 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91867 title openSUSE Security Update : p7zip (openSUSE-2016-771) NASL family Windows NASL id 7ZIP_16_00.NASL description The version of 7-Zip installed on the remote Windows host is prior to 16.0. It is, therefore, affected by multiple vulnerabilities : - A heap buffer overflow condition exits in the CHandler::ExtractZlibFile() function within file Archive\HfsHandler.cpp due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this by convincing a user to open a specially crafted file, resulting in the execution of arbitrary code. (CVE-2016-2334) - An out-of-bounds read error exists in the CInArchive::ReadFileItem() function within file Archive\Udf\UdfIn.cpp when handling Universal Disk Format (UDF) files. An unauthenticated, remote attacker can exploit this by convincing a user to open a specially crafted UDF file, resulting in the execution of arbitrary code. (CVE-2016-2335) last seen 2020-06-01 modified 2020-06-02 plugin id 91230 published 2016-05-19 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91230 title 7-Zip < 16.00 Multiple Vulnerabilities
Seebug
bulletinFamily | exploit |
description | ### Summary An out of bound read vulnerability exists in the CInArchive::ReadFileItem method functionality of 7zip for handling UDF files that can lead to denial of service or code execution. ### Tested Versions 7-Zip [32] 15.05 beta 7-Zip [64] 9.20 ### Product URLs http://www.7-zip.org/ ### Details CInArchive::ReadFileItem method to achieve proper information about file/directory location on particular partition use inter alia the following information: Partition Map and Long Allocation Descriptor [2.3.10.1 Long Allocation Descriptor]. Because volumes can have more than one partition map their objects are keep in object vector. To start looking for item, method tries to achieve proper partition object using to this mentioned partition maps object vector and "PartitionRef" field from Long Allocation Descriptor. Lack of checking whether "PartitionRef" field is bigger than available amount of partition map objects cause read out of bounds and can lead in some circumstances to arbitrary code execution. Vulnerable code: ``` CPP\7zip\Archive\Udf\UdfIn.cpp Line 898 FOR_VECTOR (fsIndex, vol.FileSets) Line 899 { Line 900 CFileSet &fs = vol.FileSets[fsIndex]; Line 901 unsigned fileIndex = Files.Size(); Line 902 Files.AddNew(); Line 903 RINOK(ReadFileItem(volIndex, fsIndex, fs.RootDirICB, kNumRecursionLevelsMax)); Line 904 RINOK(FillRefs(fs, fileIndex, -1, kNumRecursionLevelsMax)); Line 905 } ........ Line 384 HRESULT CInArchive::ReadFileItem(int volIndex, int fsIndex, const CLongAllocDesc &lad, int numRecurseAllowed) Line 385 { Line 386 if (Files.Size() % 100 == 0) Line 387 RINOK(_progress->SetCompleted(Files.Size(), _processedProgressBytes)); Line 388 if (numRecurseAllowed-- == 0) Line 389 return S_FALSE; Line 390 CFile &file = Files.Back(); Line 391 const CLogVol &vol = LogVols[volIndex]; Line 392 CPartition &partition = Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex]; ``` Vulnerability can be triggered for any entry contains malformed long allocation descriptor but in this example we will focus on File set RootDirICB [2.3.2 File Set Descriptor]. As you can see in above code in lines 898-905 search for elements on particular volume and file set starts based on RootDirICB Long Allocation Descriptor and that record we will try to malformed for our purpose. Vulnerability appears in line 392 when PartitionRef field exceed number of elements in ParitionMaps vector. Let we check how many PartitionMaps contains our PoC: ``` 0:000> .restart /f Symbol search path is: symsrv*symsrv.dll*d:\localsymbols*http://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 01270000 012e5000 7z.exe Page heap: pid 0x29A0: page heap enabled with flags 0x3. Page heap: pid 0x29A0: page heap enabled with flags 0x3. (29a0.720): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=fa8d0000 edx=0025e198 esi=fffffffe edi=00000000 eip=77c412fb esp=0019f91c ebp=0019f948 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 ntdll!LdrpDoDebuggerBreak+0x2c: 77c412fb cc int 3 0:000> g Breakpoint 114 hit eax=07c1ef58 ebx=00000000 ecx=07c24ff8 edx=00000000 esi=00000000 edi=0019f17c eip=69ccaa81 esp=0019d73c ebp=0019d7b0 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 > 392: CPartition &partition = Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex]; 7z_69bf0000!NArchive::NUdf::CInArchive::ReadFileItem+0xa1: 69ccaa81 8b4510 mov eax,dword ptr [ebp+10h] ss:002b:0019d7c0=e44fad07 0:000> dv /t vol struct NArchive::NUdf::CLogVol * vol = 0x07c1ef58 0:000> dt /b NArchive::NUdf::CLogVol poi(vol) (...) +0x090 PartitionMaps : CObjectVector<NArchive::NUdf::CPartitionMap> +0x000 _v : CRecordVector<void *> +0x000 _items : 0x07c20ff8 +0x004 _size : 1 +0x008 _capacity : 1 ``` As we can see there is 1 Partition map where our PartitionRef field is equal: ``` 0:000> dv /t lad struct NArchive::NUdf::CLongAllocDesc * lad = 0x07ad4fe4 0:000> dt /b NArchive::NUdf::CLongAllocDesc poi(lad) 7z_69bf0000!NArchive::NUdf::CLongAllocDesc +0x000 Len : 0x800 +0x004 Location : NArchive::NUdf::CLogBlockAddr +0x000 Pos : 2 +0x004 PartitionRef : 0xff ``` Vulnerability is obvious, let’s see how it manifests: ``` 0:000> g (29a0.720): Access violation - code c0000005 (first chance) ``` First chance exceptions are reported before any exception handling. This exception may be expected and handled. ``` eax=07c213f4 ebx=00000000 ecx=07c20ff8 edx=000000ff esi=00000000 edi=0019f17c eip=69cc38f8 esp=0019d6e0 ebp=0019d730 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 > 450: const T& operator[](unsigned index) const { return *((T *)_v[index]); } 7z_69bf0000!CObjectVector<NArchive::NTar::CItemEx>::operator[]+0x18: 69cc38f8 8b00 mov eax,dword ptr [eax] ds:002b:07c213f4=???????? 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: 7z_69bf0000!CObjectVector<NArchive::NTar::CItemEx>::operator[]+18 69cc38f8 8b00 mov eax,dword ptr [eax] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 69cc38f8 (7z_69bf0000!CObjectVector<NArchive::NTar::CItemEx>::operator[]+0x00000018) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 07c213f4 Attempt to read from address 07c213f4 FAULTING_THREAD: 00000720 PROCESS_NAME: 7z.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 07c213f4 READ_ADDRESS: 07c213f4 FOLLOWUP_IP: 7z_69bf0000!CObjectVector<NArchive::NTar::CItemEx>::operator[]+18 69cc38f8 8b00 mov eax,dword ptr [eax] DETOURED_IMAGE: 1 NTGLOBALFLAG: 2000000 APPLICATION_VERIFIER_FLAGS: 0 APP: 7z.exe BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_AFTER_CALL PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_AFTER_CALL DEFAULT_BUCKET_ID: INVALID_POINTER_READ_AFTER_CALL LAST_CONTROL_TRANSFER: from 69ccaa97 to 69cc38f8 STACK_TEXT: 0019d730 69ccaa97 000000ff 0019f17c 00000000 7z_69bf0000!CObjectVector<NArchive::NTar::CItemEx>::operator[]+0x18 [7z1505- src\cpp\common\myvector.h @ 450] 0019d7b0 69cc9d3a 00000000 00000000 07ad4fe4 7z_69bf0000!NArchive::NUdf::CInArchive::ReadFileItem+0xb7 [7z1505- src\cpp\7zip\archive\udf\udfin.cpp @ 392] 0019e288 69cca215 0019f17c 0019ec1c 00000000 7z_69bf0000!NArchive::NUdf::CInArchive::Open2+0xcba [7z1505- src\cpp\7zip\archive\udf\udfin.cpp @ 903] 0019e2e4 69cc73f3 07b4efa8 0019e37c 0019f17c 7z_69bf0000!NArchive::NUdf::CInArchive::Open+0x25 [7z1505- src\cpp\7zip\archive\udf\udfin.cpp @ 975] 0019e3a4 012acf95 07021f68 07b4efa8 0019e950 7z_69bf0000!NArchive::NUdf::CHandler::Open+0x63 [7z1505- src\cpp\7zip\archive\udf\udfhandler.cpp @ 149] 0019ea58 012b1690 0019f154 0019f17c 0019ec1c 7z!CArc::OpenStream2+0xdb5 [7z1505-src\cpp\7zip\ui\common\openarchive.cpp @ 1820] 0019eb4c 012b1ba6 0019f154 0019f17c 0019ec1c 7z!CArc::OpenStream+0x30 [7z1505-src\cpp\7zip\ui\common\openarchive.cpp @ 2829] 0019ebe0 012ab7e9 0019f154 00000000 00000001 7z!CArc::OpenStreamOrFile+0x166 [7z1505- src\cpp\7zip\ui\common\openarchive.cpp @ 2921] 0019ef20 012ab4b8 0019f154 00000000 00000001 7z!CArchiveLink::Open+0x179 [7z1505-src\cpp\7zip\ui\common\openarchive.cpp @ 3097] 0019efd8 012ab63c 0019f154 06bf9ea8 00000000 7z!CArchiveLink::Open2+0x148 [7z1505-src\cpp\7zip\ui\common\openarchive.cpp @ 3220] 0019f040 0129ffec 0019f154 06bf9ea8 00000000 7z!CArchiveLink::Open3+0x1c [7z1505-src\cpp\7zip\ui\common\openarchive.cpp @ 3284] 0019f2e4 012ca3fd 0019f9b8 0019f938 0019f92c 7z!Extract+0x48c [7z1505-src\cpp\7zip\ui\common\extract.cpp @ 362] 0019fc84 012cc0be 00000000 00000001 00000000 7z!Main2+0x14cd [7z1505-src\cpp\7zip\ui\console\main.cpp @ 881] 0019fd5c 012cfe33 00000003 06bf5f80 06e75f18 7z!main+0x7e [7z1505-src\cpp\7zip\ui\console\mainar.cpp @ 70] 0019fd9c 75d6337a fffde000 0019fde8 77bd92e2 7z!__tmainCRTStartup+0xfd [f:\dd\vctools\crt\crtw32\dllstuff\crtexe.c @ 626] 0019fda8 77bd92e2 fffde000 56a1b6fd 00000000 kernel32!BaseThreadInitThunk+0xe 0019fde8 77bd92b5 012cfe9b fffde000 00000000 ntdll!__RtlUserThreadStart+0x70 0019fe00 00000000 012cfe9b fffde000 00000000 ntdll!_RtlUserThreadStart+0x1b FAULTING_SOURCE_LINE_NUMBER: 450 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: 7z!CObjectVector<NArchive::NTar::CItemEx>::operator[]+18 FOLLOWUP_NAME: MachineOwner MODULE_NAME: 7z_69bf0000 IMAGE_NAME: 7z.dll DEBUG_FLR_IMAGE_TIMESTAMP: 559185fe STACK_COMMAND: ~0s ; kb FAILURE_BUCKET_ID: INVALID_POINTER_READ_AFTER_CALL_c0000005_7z.dll!CObjectVector_NArchive::NTar::CItemEx_::operator[] BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_AFTER_CALL_DETOURED_7z!CObjectVector_NArchive::NTar::CItemEx_::operator[]+18 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/7z_exe/15_5_0_0/5591858b/7z_dll/15_5_0_0/559185fe/c0000005/000d38f8.htm?Retriage=1 Followup: MachineOwner --------- ``` At the end, let us see how FileSet RootDirICB entry has been modified. ``` Original file: Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00080990 00 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................ 000809A0 00 2A 4F 53 54 41 20 55 44 46 20 43 6F 6D 70 6C .*OSTA UDF Compl 000809B0 69 61 6E 74 00 00 00 00 02 01 03 00 00 00 00 00 iant............ Malformed file: Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00080990 00 08 00 00 02 00 00 00 FF 00 00 00 00 00 00 00 ........˙....... 000809A0 00 2A 4F 53 54 41 20 55 44 46 20 43 6F 6D 70 6C .*OSTA UDF Compl 000809B0 69 61 6E 74 00 00 00 00 02 01 03 00 00 00 00 00 iant............ ``` As you can see at offset 00080990 + 8, 0x00 changed to 0xff which we could observe during bug analysis as a value of PartitionRef. ### Timeline * 2016-03-03 - Vendor Notification * 2016-05-10 - Public Disclosure |
id | SSV:96782 |
last seen | 2017-11-19 |
modified | 2017-10-26 |
published | 2017-10-26 |
reporter | Root |
title | 7zip UDF CInArchive::ReadFileItem Code Execution Vulnerability(CVE-2016-2335) |
Talos
id | TALOS-2016-0094 |
last seen | 2019-05-29 |
published | 2016-05-10 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0094 |
title | 7zip UDF CInArchive::ReadFileItem Code Execution Vulnerability |
References
- http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
- http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
- http://lists.opensuse.org/opensuse-updates/2016-06/msg00004.html
- http://lists.opensuse.org/opensuse-updates/2016-06/msg00004.html
- http://lists.opensuse.org/opensuse-updates/2016-06/msg00098.html
- http://lists.opensuse.org/opensuse-updates/2016-06/msg00098.html
- http://lists.opensuse.org/opensuse-updates/2016-07/msg00069.html
- http://lists.opensuse.org/opensuse-updates/2016-07/msg00069.html
- http://www.debian.org/security/2016/dsa-3599
- http://www.debian.org/security/2016/dsa-3599
- http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html
- http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html
- http://www.securityfocus.com/bid/90531
- http://www.securityfocus.com/bid/90531
- http://www.securitytracker.com/id/1035876
- http://www.securitytracker.com/id/1035876
- http://www.talosintel.com/reports/TALOS-2016-0094/
- http://www.talosintel.com/reports/TALOS-2016-0094/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNYIQAU3FKFBNFPK6GKYTSVRHQA7PTYT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNYIQAU3FKFBNFPK6GKYTSVRHQA7PTYT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DTGWICT3KYYDPDXRNO5SXD32GZICGRIR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DTGWICT3KYYDPDXRNO5SXD32GZICGRIR/
- https://security.gentoo.org/glsa/201701-27
- https://security.gentoo.org/glsa/201701-27
- https://usn.ubuntu.com/3913-1/
- https://usn.ubuntu.com/3913-1/