Beware of LZH

[Symantec]

Beware of LZH
<p>Though the discovery of Microsoft Office zero-day exploits has dropped dramatically in the last six months, new file format exploits are still being discovered (and exploited) regularly. After .zip and .rar file exploits, the latest archive format vulnerability affects the Lhaca archiver and its LZH compression support. While not very well known in the US and Europe, Lhaca appears to be a popular archive tool in Japan, as is the compression format LZH.</p>

<p>On Friday, June 22nd, one of our Japanese customers submitted an .lzh file. Tthe file in question, after quick analysis, raised immediate suspicion. It contained several NOP-sleds, shell code-like code blocks, decryptors, and an encoded executable in the archive itself! All the ingredients required by file format exploit recipes. The difficulty in this case is finding the application that could be vulnerable. Cheers to Masaki Suenaga in Security Response, Japan for doing the initial analysis and finding out that <a href="http://www.securityfocus.com/bid/24604">Lhaca version 1.20 (at least) is vulnerable</a>.</p>

<p>The vulnerability lies in a call to strcpy() with improper string length validation. Critical stack variables can be overwritten, and control is passed to a shell code. Interestingly, it seems the .lzh file we have contains duplicate code to maximize exploitation chances. According to my tests, it seems the string being copied is a file name of one of the archived files. I’ll let you draw the obvious conclusion.</p>

<p>The archive itself is detected as <a href="http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-062506-5500-99">Trojan.Lhdropper</a>. If executed properly - on a Japanese version of Windows XP with Lhaca 1.20 for instance - the exploit will drop a back door in the Windows %System% folder. It will also drop a secondary LZH archive and will open it up after exploitation. This archive contains a clean Ichitaro document, a format also popular in Japan. Obviously, this trick allows attackers to keep the user's suspicions low. The same technique is used by Office exploits, when a clever attacker usually drops and opens a clean Word or Excel document after exploitation.</p>

<p>In this particular scenario, the attack could be considered regional, since both LZH and Lhaca are only popular in Japan. But in spite of the lack of widespread exploitation, this kind of situation still occurs every once in a while, just to remind us the email golden rule always applies: never open strange attachments, either sent by anonymous people and/or with appealing file names. </p>
http://www.symantec.com/enterprise/security_response/weblog/2007/06/beware_of_lzh.html
http://www.symantec.com/enterprise/security_response/weblog/2007/06/beware_of_lzh.html
Mon, 25 Jun 2007 08:39:58 -0800