No account yet?
Home » Exploits » 7-Zip Unspecified Archive Handling Vulnerability
7-Zip Unspecified Archive Handling Vulnerability E-mail
Feeds - Exploits
Written by The University of Oulu   
Tuesday, 07 April 2009 22:52
7-Zip Unspecified Archive Handling Vulnerability


-\\Bugtraq ID:
28285

-\\Class:
Unknown

-\\CVE:
CVE-2008-6536


-\\Remote:
Yes

-\\Local:
No

-\\Published:
Mar 17 2008 12:00AM

-\\Updated:
Apr 07 2009 08:46PM

-\\Credit:
The University of Oulu discovered this issue.



-\\Vulnerable:
RedHat Fedora 9  0
RedHat Fedora 8  0
7-Zip 7-Zip 4.27 BETA
7-Zip 7-Zip 4.26 BETA
7-Zip 7-Zip 4.23
7-Zip 7-Zip 3.13
7-Zip 7-Zip  3.30



-\\Not Vulnerable:
7-Zip 7-Zip  4.57



-\\Discussion
7-Zip prone to a remote archive-handling vulnerability because the application fails
 to properly handle malformed archive files.

Successfully exploiting this issue may allow remote attackers to execute code, but
 this has not been confirmed. Exploit attempts will likely crash the application.

Versions prior to 7-Zip 4.57 are affected.



-\\Exploit(s)/PoC(s):
The Oulu University Secure Programming Group (OUSPG) at the University of Oulu in
 Finland created archive files designed to trigger this issue. The archive files may be obtained from the following URI:

http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/



-\\Solution
The vendor has released fixes to address this issue. Please see the references for
 more information.


7-Zip 7-Zip  3.30
--7-Zip  7z457.tar.bz2
http://downloads.sourceforge.net/sevenzip/7z457.tar.bzhttp://downloads.sourceforge.net/sevenzip/7z457.tar.bz2

7-Zip 7-Zip 3.13
--7-Zip  7z457.tar.bz2
http://downloads.sourceforge.net/sevenzip/7z457.tar.bzhttp://downloads.sourceforge.net/sevenzip/7z457.tar.bz2

7-Zip 7-Zip 4.23
--7-Zip  7z457.tar.bz2
http://downloads.sourceforge.net/sevenzip/7z457.tar.bzhttp://downloads.sourceforge.net/sevenzip/7z457.tar.bz2

7-Zip 7-Zip 4.26 BETA
--7-Zip  7z457.tar.bz2
http://downloads.sourceforge.net/sevenzip/7z457.tar.bzhttp://downloads.sourceforge.net/sevenzip/7z457.tar.bz2

7-Zip 7-Zip 4.27 BETA
--7-Zip  7z457.tar.bz2
http://downloads.sourceforge.net/sevenzip/7z457.tar.bzhttp://downloads.sourceforge.net/sevenzip/7z457.tar.bz2



-\\Reference(s)
--7-Zip Home Page
http://www.7-zip.org  (7-Zip )
--PROTOS Genome Test Suite c10-archive
http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive  (Oulu University)
--20469: CERT-FI and CPNI Joint Vulnerability Advisory on Archive Formats
https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.htm  (CERT-FI)
 

Security Services by HSC

Contact us

Become partner
Advertise with us
Join our staff