dtSearch DUNZIP32.dll Buffer Overflow Vulnerability

2005-12-2100:00:00

vulners.com

JSON

Networksecurity.fi Security Advisory (21-12-2005)

Title: dtSearch DUNZIP32.dll buffer overflow vulnerability
Criticality: High (3/3)
Affected software: dtSearch versions prior than 7.20 Build 7136
Author: Juha-Matti Laurio info [at] networksecurity.fi, juha-matti.laurio [at] netti.fi
Date: 21th December, 2005
Advisory ID: Networksecurity.fi Security Advisory (21-12-2005) (#15)
Location URL: http://www.networksecurity.fi/advisories/dtsearch.html
CVE reference: CVE-2004-1094
CVSS Severity: 10 (High)

From the vendor:
"Instantly Search Terabytes of Text
The dtSearch product line can instantly search terabytes of text across a desktop, network, Internet or Intranet site."
Summary:
"dtSearch products also serve as tools for publishing, with instant text searching, large document collections to Web sites or CD/DVDs. - converts other file types - word processor, database, spreadsheet, email and full-text of email attachments, ZIP, Unicode, etc. - to HTML for display with highlighted hits."
Reportedly 4 out of 5 of Fortune Magazine’s most profitable companies purchased dtSearch developer or multi-user licenses in the past two years. This product is widely used in Information Management, News and Financial, Technical Documentation and Government branch.
Description:
dtSearch document search system is confirmed as affected to remote type buffer overflow vulnerability.
The vulnerability is caused due to a boundary error in a 3rd-party compression library's (DUNZIP32.dll) remarkable old, vulnerable version used when handling packed .ZIP documents. InnerMedia DynaZip compression library mentioned is responsible for indexing and displaying operations. This can be exploited to cause a buffer overflow via a specially crafted zipped document. When a specially crafted .zip document containing a file with an overly long filename (a file name or files inside a ZIP) is opened, the application will crash and the attacker may be able to execute arbitrary code on user's system (see VU#582498 reference).
Detailed description:
Affected DynaZip library examined is version from December, 2002, file version 5.0.0.2. According to InnerMedia company versions 5.00.03 and prior are affected.
The following remarkable old file was copied to C:\Program Files\dtSearch\bin directory during an installation process when tested:
File name: dunzip32.dll
Date stamp: 6th December, 2002 04:05PM
File version: 5.0.0.2
Description: DynaZIP-32 Multi-Threading UnZIP DLL
Copyright information: Copyright (c) 1995 - 2002 by Inner Media, Inc. All Rights Reserved.

NOTE: Dunzip32.dll is being installed into the same directory as the application executable of dtSearch Engine if dtSearch has been installed on end-users' machines. If the situation is as described, updating of the libary on end-users' machines by applying a software update is also needed.

From US-CERT VU#582498:
"Impact:
If a remote attacker can persuade a user to access a specially crafted zip file, the attacker may be able to execute arbitrary code on that user's system possibly with elevated privileges."

Affected versions:
The vulnerability has been confirmed in dtSearch Desktop with Spider version 7.10 (Build 7045). Other versions may also be affected.
The newest dtSearch version from 6.x product line is dtSearch 6.5 Build 6608.
All earlier versions (vendor's Web pages list versions 1.x to 5.25) are probably affected as well.

The following products use an affected component:
dtSearch Desktop with Spider
dtSearh Network
dtSearch Indexer
dtSearch Indexer (Unicode)

The exact non-affected version number is 7.20.7136.1.

OS:
Microsoft Windows
"All products work with Win 95/98/ME/NT/2000/XP/2003/.NET"
Tests was done with Microsoft Windows XP Professional SP2 and Microsoft Windows 2000 Professional SP4 fully patched.
Solution status:
Vendor has issued a patch shipped with immune library version 5.00.07. It can be obtained by downloading a patch from:
www.dtsearch.com/download.html#upgrades
According to the vendor's reply version 7.20 BETA Build 7136 from 11/29/2005 is immune as well.
Software:
dtSearch 7.x
dtSearch 6.x
www.dtsearch.com/PLF_desktop.html (Desktop)

Vendor and vendor Home Page:
dtSearch Corp.
www.dtsearch.com

Vendor product Web page:
www.dtsearch.com/PLF_desktop.html (Desktop with Spider)

Solution:
Apply a patch:
www.dtsearch.com/download.html#upgrades

Criticality: High (3/3)

OS: Microsoft Windows

CVE information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2004-1094 on 20th December, 2005 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org ), which standardizes names for security problems.
The CVSS (Common Vulnerability Scoring System) severity level metric of issue CVE-2004-1094:
10 (High)

References:
Upgrade information for version 6.x or earlier:
support.dtsearch.com/faq/dts0201.htm
US-CERT VU#582498:
"InnerMedia DynaZip library vulnerable to buffer overflow via long file names"
www.kb.cert.org/vuls/id/582498
From the vulnerability note:
"Users are encouraged to contact their software vendors if they suspect they are vulnerable."
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1094

Credit information:
This vulnerability was researched by Juha-Matti Laurio, Networksecurity.fi.

Timeline:
12-Oct-2005 - Vulnerability researched and confirmed
05-Nov-2005 - Vendor was contacted
05-Nov-2005 - Vendor's reply, vendor informed about upcoming, fixed version and timeline
06-Nov-2005 - Detailed research
20-Dec-2005 - Vendor contacted again
20-Dec-2005 - CVE information submission sent to Mitre.org
20-Dec-2005 - Mitre.org assigns CVE-2004-1094
21-Dec-2005 - Security companies and several CERT units contacted

Revision history:
05-11-2005 1.0: Advisory written
20-12-2005 1.1: Updated advisory and added CVE reference
21-12-2005 1.2: Advisory published

Local Finnish time is used.

Best regards,
Juha-Matti Laurio
security researcher
Finland