COMMAND

    zipandemail

SYSTEMS AFFECTED

    Winzip 8.0 for Windows NT/2000

PROBLEM

    Following is based on a Defcom Labs Advisory def-2001-09 by  Peter
    Grundl.  Winzip contains an exploitable buffer overflow flaw  that
    could allow an attacker to  execute arbitrary code under the  user
    context of the user or service running winzip.

    The /zipandemail option in winzip contains a buffer overflow  flaw
    when handling very long filenames.   The EIP is overwritten and  a
    carefully crafted filename could allow for execution of  arbitrary
    code.

    The probability of  this happening "in  the wild" is  very low, as
    the overflow only triggers if winzip is used with this option.

    Theoretically,  this  could  occur  when  a  .jpg with a malformed
    filename is 'zipped  and emailed'.   Alternatively if an  attacker
    managed  to  place  a  malicious  file  in the log directory on an
    automated logging system´ then the automated zipping and  emailing
    of the log would trigger the overflow.

SOLUTION

    Don't use the /zipandemail  function indescrimantely before a  fix
    has been released.  The  Vendor was contacted December 18th,  2000
    and  replied:   "Hopefully  this  will  be  corrected  in the next
    version,  fortunately  this  doesn't  seem  to a problem that many
    people will run into."