Title: CheckMark Payroll DUNZIP32.dll buffer overflow vulnerability
Criticality: Medium
Affected software: CheckMark Payroll [for Year] 2004/2005 for Windows versions prior than 3.9.7
Author: Juha-Matti Laurio info [at] networksecurity.fi, juha-matti.laurio [at] netti.fi
Date: 10th October, 2005
Advisory ID: Networksecurity.fi Security Advisory (10-10-2005) (#10)
Location URL: http://www.networksecurity.fi/advisories/payroll.html
CVE references: CVE-2004-1094
- Description:
CheckMark Payroll 2004/2005 for Windows payroll system is confirmed as affected to buffer overflow vulnerability.
The vulnerability is caused due to a boundary error in a 3rd-party compression library's (DUNZIP32.dll) old, vulnerable version used in Restore Backup functions. This can be exploited to cause a buffer overflow via a specially crafted company backup file.
When a specially crafted .zip backup file containing a file with an overly long filename (a file name or files inside a ZIP) is opened, the payroll application will crash and the attacker may be able to execute arbitrary code on user's system.
- Detailed description:
Affected DynaZip library examined is version from December, 1996, file version 3.0.0.14. According to InnerMedia company versions 5.00.03 and prior are affected.
The following remarkable old file was copied to Windows\system32 directory during an installation process when tested:
File name: dunzip32.dll
Date stamp: 23th December, 1996 07:20AM
File size: 95 kB
File version: 3.0.0.14
Description: DynaZIP-32 UnZIP DLL
Copyright information: Copyright (c) Inner Media, Inc. 1993-1996, All Rights Reserved.
Dunzip32.dll is used at File / Restore Backup... function.
From US-CERT VU#582498:
"Impact:
If a remote attacker can persuade a user to access a specially crafted zip file, the attacker may be able to execute arbitrary code on that user's system possibly with elevated privileges."
From the vendor:
"The Easiest Way to Run Payroll:
CheckMark Payroll keeps you on track, in compliance, and stress-free no matter what type of business you run. Use it as a stand-alone program, or post to just about any accounting software on the market, including CheckMark's own MultiLedger."
- Affected versions:
The vulnerability has been confirmed in version 3.7.5. Other versions may also be affected.
NOTE: According to vendor's reply InnerMedia library mentioned is used in Backup and Restore functions in several CheckMark programs. Vendor information says that all versions before the newest version 3.9.7 (04/28/2005) are affected:
Payroll 3.9.6
Payroll 3.9.5
Payroll 3.9.4
Payroll 3.9.3
Payroll 3.9.2
Payroll 3.9.1
Payroll 3.7.5, i.e. CheckMark Payroll [for Year] 2003
- OS:
Tests was done with Microsoft Windows XP Professional SP2 and Microsoft Windows 2000 Professional SP4 fully patched.
- Solution status:
Vendor has issued a patch. It can be obtained by downloading a patch from:
www.checkmark.com/support/patch_win_pr.php
"Installation Instructions:
Please note: You need to have the 2004/2005 version (3.9.x) of CheckMark Payroll for Windows already installed to run this patch."
Software Updates for Registered Users:
www.checkmark.com/order/updates.php
How to check installed software version: Select 'About CheckMark Payroll' from the 'Help' menu.
- Software:
CheckMark Payroll 3.x
www.checkmark.com/products/payroll.php
Vendor and vendor Home Page:
CheckMark Software, Inc.
www.checkmark.com/
Vendor product Web page:
www.checkmark.com/products/payroll.php
Solution:
Apply a patch:
www.checkmark.com/support/patch_win_pr.php
Criticality: Medium (2/3)
OS: Microsoft Windows
CVE Reference: cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1094
- References:
US-CERT Cyber Security Bulletin's #SB05-306 High Risk warning
www.secunia.com/advisories/17096/
www.frsirt.com/english/advisories/2005/2057
xforce.iss.net/xforce/xfdb/17879
www.securityfocus.com/bid/11555
www.osvdb.org/displayvuln.php?osvdb_id=19906
www.secwatch.org/advisories/1011849/
www.frsirt.com/bulletins/2310 (French-language)
www.securitylab.ru/vulnerability/241141.php
US-CERT VU#582498:
"InnerMedia DynaZip library vulnerable to buffer overflow via long file names"
www.kb.cert.org/vuls/id/582498
From the vulnerability note:
"Users are encouraged to contact their software vendors if they suspect they are vulnerable."
"What's included in the Windows Payroll patch? / Changes in Payroll 3.9.7, dated 04/28/2005":
www.checkmark.com/support/prw_update.php
Related CheckMark KnowledgeBase article:
"Restoring/Opening a Backup-MultiLedger for Windows and Payroll for Windows"
www.checkmark.com/support/result_display.php?kbrecordid=L12P72211L3O2
Link to Finnish-language Networksecurity.fi Weblog entry:
networksecurity.typepad.com/networksecurity/2005/10/payrolohjelmist.html
Credit information:
This issue was researched by Juha-Matti Laurio, Networksecurity.fi.
Timeline:
24-Jan-2005 - Vulnerability researched and confirmed
24-Jan-2005 - Vendor was contacted, workarounds delivered to the vendor
24-Jan-2005 - Vendor's reply
04-Mar-2005 - Vendor informed about upcoming, fixed version
12-May-2005 - Vendor informed about published, fixed version
07-Oct-2005 - Detailed research of fixed version
10-Oct-2005 - Security companies and several CERT units contacted
01-Nov-2005 - CVE reference assigned
04-Nov-2005 - US-CERT Cyber Security Bulletin High Risk warning published
Revision history:
10-10-2005 1.0: Advisory published
10-10-2005 1.1: Updated advisory
11-10-2005 1.2: Updated advisory
11-10-2005 1.3: Updated advisory by adding references
12-10-2005 1.4: Updated advisory by adding exact list about affected versions, added published security advisories
18-10-2005 1.5: Updated advisory by adding a new reference
20-10-2005 1.6: Updated advisory by adding a new reference
01-11-2005 1.7: Added CVE reference
04-11-2005 1.8: Added US-CERT Cyber Security Bulletin reference
08-01-2006 1.9: Updated X-Force ID
Local Finnish time is used.
- To the Main Page
Best regards,
Juha-Matti Laurio
security researcher
Finland
Copyright © Networksecurity.fi and Juha-Matti Laurio 2005 - 2006
Read more about 41 other security vulnerabilities at
www.networksecurity.fi