Title: CheckMark MultiLedger accounting system DUNZIP32.dll buffer overflow vulnerability
Criticality: Medium
Affected software: MultiLedger for Windows versions prior than 7.0.2
Author: Juha-Matti Laurio info [at] networksecurity.fi, juha-matti.laurio [at] netti.fi
Date: 28th October, 2005
Advisory ID: Networksecurity.fi Security Advisory (28-10-2005) (#11)
Location URL: http://www.networksecurity.fi/advisories/multiledger.html
CVE references: CVE-2004-1094
- Description:
MultiLedger for Windows accounting system is confirmed as affected to remote type buffer overflow vulnerability.
The vulnerability is caused due to a boundary error in a 3rd-party compression library's (DUNZIP32.dll) old, vulnerable version used in company data restore functions. This can be exploited to cause a buffer overflow via a specially crafted company backup file.
When a specially crafted .zip backup file containing a file with an overly long filename (a file name or files inside a ZIP) is opened, the application will crash and the attacker may be able to execute arbitrary code on user's system.
- Detailed description:
Affected DynaZip library examined is version from December, 1996, file version 3.0.0.14. According to InnerMedia company versions 5.00.03 and prior are affected.
The following remarkable old file was copied to Windows\system32 directory during an installation process when tested:
File name: dunzip32.dll
Date stamp: 23th December, 1996 07:20AM
File size: 95 kB
File version: 3.0.0.14
Description: DynaZIP-32 UnZIP DLL
Copyright information: Copyright (c) Inner Media, Inc. 1993-1996, All Rights Reserved.
Dunzip32.dll is used at File / Restore Company... function.
From US-CERT VU#582498:
"Impact:
If a remote attacker can persuade a user to access a specially crafted zip file, the attacker may be able to execute arbitrary code on that user's system possibly with elevated privileges."
From the vendor:
"Integrated Accounting Made Simple. A proven integrated, networkable financial package for small businesses, MultiLedger is easy to use and installs quickly. Whether you need software to help manage jobs, run real-time reports, track costs, monitor cash flow, or produce up-to-the-minute financial reports, you can choose MultiLedger with confidence."
- Affected versions:
The vulnerability has been confirmed in version 6.0.3. Other versions may also be affected.
NOTE: According to vendor's reply InnerMedia library mentioned is used in Backup and Restore functions in several CheckMark programs. All versions before the newest version 7.0.2 (10/17/2005) are affected:
MultiLedger 7.0.1
MultiLedger 7.0.0
MultiLedger 6.0.5
MultiLedger 6.0.3
- OS:
Microsoft Windows: "Windows 95 or higher, including Windows 98, 2000, NT, ME, and XP"
Tests was done with Microsoft Windows XP Professional SP2 and Microsoft Windows 2000 Professional SP4 fully patched.
- Solution status:
Vendor has issued a patch. It can be obtained by downloading a patch from:
www.checkmark.com/support/patch_win_ml.php
"Installation Instructions:
Please note: You need at least version 7.0 of MultiLedger for Windows in order to run this patch."
Software Updates for Registered Users:
www.checkmark.com/order/updates.php
How to check installed software version: Select 'About CheckMark MultiLedger' from the 'Help' menu.
- Software:
CheckMark MultiLedger 6.x
CheckMark MultiLedger 7.x
www.checkmark.com/products/multiledger.php
Vendor and vendor Home Page:
CheckMark Software, Inc.
www.checkmark.com/
Vendor product Web page:
www.checkmark.com/products/multiledger.php
Solution:
Apply a patch:
www.checkmark.com/support/patch_win_ml.php
Criticality: Medium (2/3)
OS: Microsoft Windows
CVE Reference: cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1094
- References:
US-CERT Cyber Security Bulletin's #SB05-306 High Risk warning
www.secunia.com/advisories/17394/
www.securiteam.com/windowsntfocus/6Z00W00EAM.html
xforce.iss.net/xforce/xfdb/17897
www.securityfocus.com/bid/11555
www.osvdb.org/displayvuln.php?osvdb_id=19906
www.secwatch.org/advisories/1011985/
US-CERT VU#582498:
"InnerMedia DynaZip library vulnerable to buffer overflow via long file names"
www.kb.cert.org/vuls/id/582498
From the vulnerability note:
"Users are encouraged to contact their software vendors if they suspect they are vulnerable."
Related CheckMark KnowledgeBase article:
"Restoring/Opening a Backup-MultiLedger for Windows and Payroll for Windows"
www.checkmark.com/support/result_display.php?kbrecordid=L12P72211L3O2
Credit information:
This vulnerability was researched by Juha-Matti Laurio, Networksecurity.fi.
Timeline:
24-Jan-2005 - Vulnerability researched and confirmed
24-Jan-2005 - Vendor was contacted, workarounds delivered to the vendor
24-Jan-2005 - (Vendor's reply to CheckMark Payroll for Windows vulnerability)
04-Mar-2005 - Vendor informed about upcoming, fixed version
11-Oct-2005 - Detailed research
26-Oct-2005 - Vendor was contacted again
26-Oct-2005 - Vendor's reply, vulnerability is fixed
28-Oct-2005 - Security companies and several CERT units contacted
01-Nov-2005 - CVE reference assigned
04-Nov-2005 - US-CERT Cyber Security Bulletin High Risk warning published
Revision history:
28-10-2005 1.0: Advisory published
28-10-2005 1.1: Updated advisory by adding references
31-10-2005 1.2: Updated advisory by adding references
01-11-2005 1.3: Added CVE reference and OSVDB reference
03-11-2005 1.4: Added updated X-Force reference
04-11-2005 1.5: Added US-CERT Cyber Security Bulletin reference
16-11-2005 1.6: Updated advisory title
08-01-2006 1.7: Updated OSVDB ID because of ID19906 release and updated X-Force ID
Local Finnish time is used.
Best regards,
Juha-Matti Laurio
security researcher
Finland
Copyright © Networksecurity.fi and Juha-Matti Laurio 2005
- To the Main Page
Read more about 41 other security vulnerabilities at
www.networksecurity.fi