Traceroute Software

ZLib Compression Library Heap Corruption Vulnerability (2007-10-19)

The zlib compression library is reportedly vulnerable to a heap corruption vulnerability.

Under some circumstances, a block of dynamically allocated memory may have the 'free()' routine called on it twice. This may occur during decompression.

An exploitable condition may result if the 'free()' function is used on memory that has already been freed. Under some circumstances, it is possible for an attacker to manipulate data layout in the heap so that an arbitrary word in memory is overwritten with a custom value when 'free()' is called for the second time.

Arbitrary code may be executed if critical values such as function return addresses, GOT entries, etc., are overwritten.

By itself, this condition is not a vulnerability. An attacker must identify a program linked to the library or using vulnerable code with higher privileges, or running on a remote machine. The attacker must also locate a method through which the condition may be triggered (for example, by supplying compressed data as input).

Several programs use zlib or vulnerable code borrowed from the library, including:

SSH / OpenSSH
rsync
OpenPKG
popt / rpm
the Linux Kernel

It should be noted that a similar vulnerability was reported in LBNL Traceroute. It was generally believed that this condition was not exploitable until proof of concept exploits were posted by two independent security researchers.

The FreeS/WAN IPSEC implementation reportedly also includes code from the vulnerable library. However, there are indications that this may not be exploitable in FreeS/WAN IPSEC implementations.

It has been determined that F-Secure SSH is unaffected by this vulnerability.

It has been reported that a number of Microsoft Windows applications incorporate code from the zlib library. Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page all appear to borrow code from the library. It is not currently known whether these applications are affected by this issue, and if they are affected, it has not been determined what degree of vulnerability exists.

It has been reported that Apple Mac OS X is not prone to this issue.

Various VNC viewer implementations may circumstantially be affected by this issue. In particular, it is theoretically possible that a VNC server may be able to exploit this issue to cause a denial of service to a VNC viewer/client. TightVNC and VNCThing are known to use vulnerable versions of the compression library. VNCThing runs on MacOS operating systems and is therefore not exploitable. TridiaVNC, VNC Viewer for Java, and VNC Viewer and Server for Apple Newton are also reportedly affected.

A number of Cisco products include code from the vulnerable compression library and are thus affected by this vulnerability. These products include:

- Cisco Content Engine 507, 560, 590, and 7320 running Cache Software 3.1.1 or Application and Content Networking Software 4.0.x or 4.1.1.

- Cisco Content Router 4430 and Content Distribution Manager 4630 and 4650 running Application and Content Networking Software 4.0.x or 4.1.1.

- Cisco ME1100.

- Cisco IDS sensor appliances IDS-4210, IDS-4220-E and IDS-4230-xx are vulnerable if the sensor version is in the range 3.0(1) through 3.0(5).

- Cisco Metro 1500 DWDM running software releases prior 3.3b are vulnerable.

- Cisco Hosting Solution Engine releases 1.0 and 1.3 are vulnerable.

Nullsoft Winamp versions prior to 2.79 also ship with the vulnerable compression library.

While this condition may not lead to code execution on FreeBSD operating systems, it has been reported that it may potentially cause a denial of service in applications which use the zlib compression library.

It has been discovered that Macromedia Flash 5 is vulnerable to this issue. It is not yet known whether earlier versions are also affected.