Cisco reported on Thursday that it has discovered a vulnerability in the Lhasa library that allows attackers to execute arbitrary code on targeted systems.
Lhasa is an open source tool and library used to parse and decompress LHA (.lzh) archives, and it’s offered as an alternative for the UNIX LHA utility.
Marcin Noga of Cisco TALOS discovered that Lhasa v0.3.0 and earlier are plagued by an integer underflow vulnerability that can be exploited for arbitrary code execution.
According to Cisco, the vulnerability, tracked as CVE-2016-2347, exists because while Lhasa checks header values to ensure they are not too large, it does not verify that the length of the header is not too small.
“Decompressing a LHA or LZH file containing an under-value header size leads to the decompression software allocating a pointer to point to released memory on the heap. An attacker controlling the length and content of such a file can use the vulnerability to overwrite the heap with arbitrary code,” Cisco researchers explained.
Lhasa developers described the flaw as an issue with level 3 header decoding routines, where a 32-bit header with a length smaller than the length of the base level 3 header could lead to an exploitable heap corruption condition.
Malicious actors can exploit the vulnerability to execute arbitrary code by tricking targeted users into opening a specially crafted file. The flaw can also be exploited via file scanning systems that leverage the vulnerable library to read the content of LZH and LHA files.
Experts noted that file scanners, such as the ones used to verify email attachments and files downloaded from the Web, often rely on open source libraries to parse and extract the content of less common file formats.
“The opening and scanning of files in these formats does not require user interaction and is often overlooked as a means by which malicious adversaries can execute code remotely. Vulnerabilities similar to this may be a means by which security controls are circumvented to gain access to organisations’ systems,” researchers warned.
Cisco has published an advisory containing an analysis of the vulnerable code and details on how the security hole can be exploited.
Lhasa developers announced on Thursday that the issue was addressed with the release of version 0.3.1. However, the fix was committed more than two weeks ago.