Cisco reported on Thursday that it has discovered a vulnerability in the Lhasa library that allows attackers to execute arbitrary code on targeted systems.
Lhasa is an open source tool and library used to parse and decompress LHA (.lzh) archives, and it’s offered as an alternative for the UNIX LHA utility.
Marcin Noga of Cisco TALOS discovered that Lhasa v0.3.0 and earlier are plagued by an integer underflow vulnerability that can be exploited for arbitrary code execution.
According to Cisco, the vulnerability, tracked as CVE-2016-2347, exists because while Lhasa checks header values to ensure they are not too large, it does not verify that the length of the header is not too small.
“Decompressing a LHA or LZH file containing an under-value header size leads to the decompression software allocating a pointer to point to released memory on the heap. An attacker controlling the length and content of such a file can use the vulnerability to overwrite the heap with arbitrary code,” Cisco researchers explained.
Lhasa developers described the flaw as an issue with level 3 header decoding routines, where a 32-bit header with a length smaller than the length of the base level 3 header could lead to an exploitable heap corruption condition.
Malicious actors can exploit the vulnerability to execute arbitrary code by tricking targeted users into opening a specially crafted file. The flaw can also be exploited via file scanning systems that leverage the vulnerable library to read the content of LZH and LHA files.
Experts noted that file scanners, such as the ones used to verify email attachments and files downloaded from the Web, often rely on open source libraries to parse and extract the content of less common file formats.
“The opening and scanning of files in these formats does not require user interaction and is often overlooked as a means by which malicious adversaries can execute code remotely. Vulnerabilities similar to this may be a means by which security controls are circumvented to gain access to organisations’ systems,” researchers warned.
Cisco has published an advisory containing an analysis of the vulnerable code and details on how the security hole can be exploited.
Lhasa developers announced on Thursday that the issue was addressed with the release of version 0.3.1. However, the fix was committed more than two weeks ago.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
Latest News
- Dozens of Malicious Extensions Found in Chrome Web Store
- What if the Current AI Hype Is a Dead End?
- Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security
- Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities
- Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards
- SBOMs – Software Supply Chain Security’s Future or Fantasy?
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
