New Heap-Spray Exploit Tied To LZH Archive Decompression

Researchers found a vulnerability in the classic compression standard Lhasa, once a mainstay for game developers in the mid-90s and still in use today.

Researchers found a vulnerability in the classic compression standard Lhasa, once a mainstay for game developers in the mid-’90s and still in use today.

Researchers at Cisco’s security research arm, Cisco Talos, identified the vulnerability calling it as a classic heap-spray exploit. In a report disclosing the vulnerability, Talos reports a rigged LHA and LZH compressed file could allow attackers to gain a foothold in targeted computer network.

At risk of being exploited are a multitude of security appliances and client-side antivirus software solutions that could fall victim to the exploit when scanning for viruses inside compressed LHA and LZH archives.

“A weaponized LZH archive is sent via email to a company. The message would end up in a mail server where a security appliance would see it as a suspicious attachment. Once the file is decompressed for purposes of scanning the heap-spray exploit is triggered and an attacker could gain a foothold on the targeted network,” said Craig Williams, senior technical leader and security outreach manager for Cisco Talos in an interview with Threatpost.

The vulnerability (CVE-2016-2347) centers on the Lhasa LZH/LHA decompression tool and library. Talos ties the flaw to way the Lhasa library (or folder) is decompressed creating what it calls an “integer underflow.”

“The software verifies that header values are not too large, but does not check for a too small header length. Decompressing a LHA or LZH file containing an under-value header size leads to the decompression software allocating a pointer to point to released memory on the heap,” wrote Talos researchers in its disclosure of the vulnerability it found October 2015 and publicly disclosed Thursday.

The heap spray is exploited within a computer’s RAM and used to open the door for attackers to deliver their payload.

“An attacker controlling the length and content of such a file can use the vulnerability to overwrite the heap with arbitrary code,” wrote Talos in its report.

The fact that Lhasa is an older compression standard, Williams said, suggests that files compressed with this standard would be supported in a large number of security appliances and software. “There is a good chance that Lhasa support is in a significant amount of security appliances and antivirus products that decompress and scan for vulnerabilities,” Williams said.

Suggested articles

election security disinformation video

Cybercriminals Step Up Their Game Ahead of U.S. Elections

Ahead of the November U.S. elections, cybercriminals are stepping up their offensive in both attacks against security infrastructure and disinformation campaigns – but this time, social media giants, the government and citizens are more prepared.