var-201404-0115
Vulnerability from variot
Buffer overflow in Power Software WinArchiver 3.2 allows remote attackers to execute arbitrary code via a crafted .zip file. The etgear DGND3700 is a wireless router device. The Netgear DGND3700 ping.cgi script incorrectly filters user-submitted input, allowing authenticated remote attackers to exploit a vulnerability to submit a special POST request to execute arbitrary commands. WinArchiver is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. WinArchiver 3.2 is vulnerable; other versions may also be affected. ##############################################################################
- RealPentesting Advisory -
Title: SEH BUFFER OVERFLOW IN WINARCHIVER V.3.2 Severity: Critical History: 24.Apr.2013 Vulnerability reported Authors: Josep Pi Rodriguez, Pedro Guillen Nuñez , Miguel Angel de Castro Simon Organization: RealPentesting URL: http://www.realpentesting.blogspot.com Product: WinArchiver Version: 3.2 Vendor: PowerSoftware Url Vendor: http://winarchiver.com Platform: Windows Type of vulnerability: SEH buffer overflow Issue fixed in version: (Not fixed) CVE identifier: CVE-2013-5660
[ DESCRIPTION SOFTWARE ]
From vendor website: WinArchiver is a powerful archive utility, which can open, create, and manage archive files. It supports almost all archive formats, including zip, rar, 7z, iso, and other popular formats. WinArchiver can also mount the archive to a virtual drive without extraction.
[ VULNERABILITY DETAILS ]
WinArchiver suffers from a SEH based overflow Above you can see the debugged process after the seh overflow. As you can see in the bold letters the structure exception handler (seh) has overwritten by 00410041 which is manipulated by us. The proof of concept .zip file is attached in this mail. You have to open the .zip with WinArchiver and click the extract button in order to trigger the vulnerability.
Registers
eax=00000041 ebx=000017a6 ecx=043b0000 edx=7fffdf41 esi=043aed84 edi=043aed58 eip=004e64cb esp=043ae8cc ebp=043ae8d0 iopl=0 nv up ei pl nz ac po cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213 *** ERROR: Module load completed but symbols could not be loaded for C:\Archivos de Programa\WinArchiver\WinArchiver.exe WinArchiver+0xe64cb: 004e64cb 668901 mov word ptr [ecx],ax ds:0023:043b0000=???? Seh chain
!exchain 043aff0c: WinArchiver+10041 (00410041) Invalid exception stack at 00410041
By opening a specially crafted zip file, it is possible to execute arbitrary code.We can sucesfully exploit the vulnerability in order to gain code execution.
[ VENDOR COMMUNICATION ]
20/04/2013 : vendor contacted.No response 24/04/2013 : vendor contacted again.No response 29/04/2013: PUBLIC DISCLOSURE
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201404-0115",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "winarchiver",
"scope": "eq",
"trust": 1.6,
"vendor": "powersoftware",
"version": "3.2"
},
{
"model": "winarchiver",
"scope": "eq",
"trust": 0.8,
"vendor": "power",
"version": "3.2"
},
{
"model": "dgnd3700",
"scope": null,
"trust": 0.6,
"vendor": "netgear",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-04220"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006353"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-128"
},
{
"db": "NVD",
"id": "CVE-2013-5660"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:powersoftware:winarchiver",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-006353"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Josep Pi Rodriguez, Pedro Guillen Nunez, and Miguel Angel de Castro Simon",
"sources": [
{
"db": "BID",
"id": "59626"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-128"
}
],
"trust": 0.9
},
"cve": "CVE-2013-5660",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "CVE-2013-5660",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.7,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 5.1,
"id": "CNVD-2013-04220",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2013-5660",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2013-5660",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2013-04220",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201305-128",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-04220"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006353"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-128"
},
{
"db": "NVD",
"id": "CVE-2013-5660"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Buffer overflow in Power Software WinArchiver 3.2 allows remote attackers to execute arbitrary code via a crafted .zip file. The etgear DGND3700 is a wireless router device. The Netgear DGND3700 ping.cgi script incorrectly filters user-submitted input, allowing authenticated remote attackers to exploit a vulnerability to submit a special POST request to execute arbitrary commands. WinArchiver is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. \nAn attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. \nWinArchiver 3.2 is vulnerable; other versions may also be affected. ##############################################################################\n\n\n - RealPentesting Advisory -\n\n###############################################################################\n\n Title: SEH BUFFER OVERFLOW IN WINARCHIVER V.3.2\n Severity: Critical\n History: 24.Apr.2013 Vulnerability reported\n Authors: Josep Pi Rodriguez, Pedro Guillen Nu\u00f1ez , Miguel Angel de Castro Simon\n Organization: RealPentesting\n URL: http://www.realpentesting.blogspot.com\n Product: WinArchiver\n Version: 3.2\n Vendor: PowerSoftware\n Url Vendor: http://winarchiver.com\n Platform: Windows\n Type of vulnerability: SEH buffer overflow\n Issue fixed in version: (Not fixed)\n CVE identifier: CVE-2013-5660\n\n[ DESCRIPTION SOFTWARE ]\n\nFrom vendor website:\nWinArchiver is a powerful archive utility, which can open, create, and manage archive files. It supports almost all archive formats, including zip, rar, 7z, iso, and other popular formats. WinArchiver can also mount the archive to a virtual drive without extraction. \n\n[ VULNERABILITY DETAILS ]\n\nWinArchiver suffers from a SEH based overflow\nAbove you can see the debugged process after the seh overflow. As you can see in the bold letters the structure exception handler (seh) has overwritten by 00410041 which is manipulated by us. The proof of concept .zip file is attached in this mail. You have to open the .zip with WinArchiver and click the extract button in order to trigger the vulnerability. \n\nRegisters\n---------\neax=00000041 ebx=000017a6 ecx=043b0000 edx=7fffdf41 esi=043aed84 edi=043aed58\neip=004e64cb esp=043ae8cc ebp=043ae8d0 iopl=0 nv up ei pl nz ac po cy\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213\n*** ERROR: Module load completed but symbols could not be loaded for C:\\Archivos de Programa\\WinArchiver\\WinArchiver.exe\nWinArchiver+0xe64cb:\n004e64cb 668901 mov word ptr [ecx],ax ds:0023:043b0000=????\nSeh chain\n----------\n!exchain\n043aff0c: WinArchiver+10041 (00410041)\nInvalid exception stack at 00410041\n\nBy opening a specially crafted zip file, it is possible to execute arbitrary code.We can sucesfully exploit the vulnerability in order to gain code execution. \n\n[ VENDOR COMMUNICATION ]\n\n20/04/2013 : vendor contacted.No response\n24/04/2013 : vendor contacted again.No response\n29/04/2013: PUBLIC DISCLOSURE\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-5660"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006353"
},
{
"db": "CNVD",
"id": "CNVD-2013-04220"
},
{
"db": "BID",
"id": "59626"
},
{
"db": "PACKETSTORM",
"id": "123051"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-5660",
"trust": 2.8
},
{
"db": "BID",
"id": "59626",
"trust": 1.9
},
{
"db": "OSVDB",
"id": "92992",
"trust": 1.6
},
{
"db": "PACKETSTORM",
"id": "121512",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006353",
"trust": 0.8
},
{
"db": "VULDB",
"id": "8505",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2013-04220",
"trust": 0.6
},
{
"db": "FULLDISC",
"id": "20130902 LIST OF VULNERABILITIES DISCOVERED BY REALPENTESTING",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201305-128",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "123051",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-04220"
},
{
"db": "BID",
"id": "59626"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006353"
},
{
"db": "PACKETSTORM",
"id": "123051"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-128"
},
{
"db": "NVD",
"id": "CVE-2013-5660"
}
]
},
"id": "VAR-201404-0115",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-04220"
}
],
"trust": 1.16666666
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-04220"
}
]
},
"last_update_date": "2024-11-23T22:46:07.302000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "WinArchiver",
"trust": 0.8,
"url": "http://www.winarchiver.com/index.htm"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-006353"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-006353"
},
{
"db": "NVD",
"id": "CVE-2013-5660"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://realpentesting.blogspot.com.es/p/blog-page_3.html"
},
{
"trust": 1.6,
"url": "http://seclists.org/fulldisclosure/2013/sep/8"
},
{
"trust": 1.6,
"url": "http://osvdb.org/show/osvdb/92992"
},
{
"trust": 1.6,
"url": "http://osvdb.org/ref/92/winarchiver-overflow.txt"
},
{
"trust": 1.6,
"url": "http://packetstormsecurity.com/files/121512/winarchiver-3.2-buffer-overflow.html"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/59626"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5660"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5660"
},
{
"trust": 0.6,
"url": "http://www.scip.ch/en/?vuldb.8505"
},
{
"trust": 0.6,
"url": "http://osvdb.org/ref/92/netgear-dgnd3700.txt"
},
{
"trust": 0.1,
"url": "http://www.realpentesting.blogspot.com"
},
{
"trust": 0.1,
"url": "http://winarchiver.com"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-5660"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-04220"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006353"
},
{
"db": "PACKETSTORM",
"id": "123051"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-128"
},
{
"db": "NVD",
"id": "CVE-2013-5660"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2013-04220"
},
{
"db": "BID",
"id": "59626"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006353"
},
{
"db": "PACKETSTORM",
"id": "123051"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-128"
},
{
"db": "NVD",
"id": "CVE-2013-5660"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-04-26T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-04220"
},
{
"date": "2013-04-24T00:00:00",
"db": "BID",
"id": "59626"
},
{
"date": "2014-04-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-006353"
},
{
"date": "2013-09-02T19:03:52",
"db": "PACKETSTORM",
"id": "123051"
},
{
"date": "2013-04-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201305-128"
},
{
"date": "2014-04-25T17:12:03.847000",
"db": "NVD",
"id": "CVE-2013-5660"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-04-26T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-04220"
},
{
"date": "2015-03-19T09:12:00",
"db": "BID",
"id": "59626"
},
{
"date": "2014-04-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-006353"
},
{
"date": "2014-04-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201305-128"
},
{
"date": "2024-11-21T01:57:54.187000",
"db": "NVD",
"id": "CVE-2013-5660"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201305-128"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Power Software of WinArchiver Vulnerable to buffer overflow",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-006353"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201305-128"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.