Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   zoo Vendors:   Dhesi, Rahul
zoo Buffer Overflow in fullpath() Lets Remote Users Cause Arbitrary Code to Be Executed
SecurityTracker Alert ID:  1015668
SecurityTracker URL:
CVE Reference:   CVE-2006-0855   (Links to External Site)
Updated:  Apr 4 2006
Original Entry Date:  Feb 23 2006
Impact:   Execution of arbitrary code via network, User access via network

Description:   A vulnerability was reported in zoo. A remote user can cause arbitrary code to be executed on the target user's system.

The fullpath() in 'misc.c' contains a buffer overflow. A remote user can create a specially crafted archive that, when processed by the target user with zoo, will trigger a stack overflow and cause arbitrary code to be executed.

Jean-Sebastien Guay-Leroux discovered this vulnerability.

Impact:   A remote user can create a specially crafted archive that, when processed by the target user with zoo, will cause arbitrary code to be executed. The code will run with the privileges of the target user.
Solution:   No vendor solution was available at the time of this entry.

An unofficial patch is available at:

Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] zoo contains exploitable buffer overflows

Topic: zoo contains exploitable buffer overflows

Announced:      2006-02-22
Product:        zoo
Category:       Applications/Archiving
Impact:         Remote code execution


zoo is a file archiving utility for maintaining collections of files.
It uses Lempel-Ziv compression to provide space savings in the
range of 20 to 80 percent depending on the type of data. Written by
Rahul Dhesi, and posted to the USENET newsgroup comp.sources.misc.


When feeding zoo a specially crafted archive, an attacker may be able
to trigger a stack overflow and seize control of the program.

fullpath()/misc.c accepts a pointer to a directory entry and returns the
combined directory name and filename.  fullpath() calls the function
combine()/misc.c, and assume that the length of the string returned is never
longer than 256 bytes.  In fact, the string returned can be made a little
longer than 512 bytes.

If the string is in fact longer than 256 bytes, a static variable can be
overflowed in the function fullpath()/misc.c .  This string is later used
in a strcpy() on a destination buffer of 256 bytes on the stack.

It is then easy to overwrite EIP and take control of the program.


diff -u -r -r zoo-2.10.old/misc.c zoo-2.10.orig/misc.c
--- zoo-2.10.old/misc.c 1991-07-05 12:00:00.000000000 -0400
+++ zoo-2.10.orig/misc.c        2006-01-29 17:20:35.000000000 -0500
@@ -135,11 +135,16 @@
 char *fullpath (direntry)
 struct direntry *direntry;
-       static char result[PATHSIZE];
+       static char result[PATHSIZE+PATHSIZE+12]; // Room for enough space
        combine (result,
                                direntry->dirlen != 0 ? 
direntry->dirname : "",
                                (direntry->namlen != 0) ? direntry->lfname :
+       if (strlen (result) >= PATHSIZE) {
+               prterror ('f', "Combined dirname and filename too long\n");
+       }
        return (result);


To contact me, visit
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC