Info

Disclosure

Nov 26, 2005

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

A remote overflow exists in unalz. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted 'ALZ' archive containing a file with an overly long filename, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to version 0.53 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

hardkoder

unalz

0.52

References

Bugtraq ID: 15577
Secunia Advisory ID: 17774 18665
CVE ID: 2005-3862 (see also: NVD)
ISS X-Force ID: 23267
VUPEN Advisory: ADV-2005-2604
Vendor Specific News/Changelog Entry: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=340842
Other Advisory URL: http://www.debian.org/security/2006/dsa-959
Vendor URL: http://www.kipple.pe.kr/win/unalz/

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/21160