A recently discovered vulnerability in the MiniZip component of zlib can cause an integer overflow and resultant heap-based buffer overflow. This security issue, tracked as CVE-2023-45853, occurs when MiniZip processes a long filename, comment, or extra field when opening a new file in a ZIP archive.

This article provides a detailed analysis of the CVE-2023-45853 vulnerability, including its impact, code snippets to demonstrate the issue, and links to original references and exploit details. Please note that MiniZip is not officially supported as part of the zlib product.

Background

zlib is a widely used data compression library that supports the DEFLATE algorithm. The library provides functions for compressing and decompressing binary data using a DEFLATE-compressed data format that is encapsulated by a container format, such as gzip or zlib.

MiniZip is an optional component that ships with zlib and provides an API to read and write data in the ZIP container format. Many developers use MiniZip as a convenient add-on for handling ZIP files in their zlib-based applications. However, it is worth noting that MiniZip is not officially supported as part of zlib.

Vulnerability Details

CVE-2023-45853 stems from an integer overflow and heap-based buffer overflow vulnerability in the MiniZip component of zlib through version 1.3. The issue occurs in the zipOpenNewFileInZip4_64 function when MiniZip processes a long filename, comment, or extra field for a file inside a ZIP archive.

The following code snippet demonstrates the vulnerable section of code in the zipOpenNewFileInZip4_64 function in the zip.c file:

file_info_internal = (zip_fileinfo64_internal*)ALLOC(sizeof(zip_fileinfo64_internal));
if (file_info_internal == NULL)
    return ZIP_INTERNALERROR;

file_info_internal->offset_local_header = ;
file_info_internal->size_centralheader = SIZECENTRALHEADER + 46 /* version made by + version needed to extract + external attributes (4 bytes) */ + string_filename.size() + string_comment.size() + string_extrafield.size() + string_extrafield.size();

In a ZIP file with a long filename, comment, or extra field, the sum of the sizes of these fields can exceed the maximum value of the size_centralheader variable. This results in an integer overflow and subsequent allocation of a smaller heap buffer than required. Consequently, when MiniZip attempts to write the ZIP archive metadata to the buffer, it causes a heap-based buffer overflow, potentially leading to a denial of service, or even remote code execution in certain scenarios.

Exploiting the Vulnerability

An attacker can exploit this vulnerability by crafting a malicious ZIP file with a long filename, comment, or extra field. When a vulnerable application processes this archive using MiniZip, the application may experience a crash, memory corruption, or enable arbitrary code execution.

To mitigate this vulnerability, developers should ensure that their applications properly validate and sanitize input filenames, comments, and extra fields before processing ZIP files. Additionally, because MiniZip is not a supported part of the zlib product, it is recommended to use alternative ZIP handling libraries that are actively maintained and receive security updates, such as libarchive or libzip.

Conclusion and References

In summary, CVE-2023-45853 is an integer overflow and heap-based buffer overflow vulnerability in the MiniZip component of zlib through version 1.3. Developers using MiniZip in their applications should be aware of this critical security issue and take appropriate steps to mitigate it.

For more information on this vulnerability, please refer to the following resources

- CVE-2023-45853 entry in the Common Vulnerabilities and Exposures database
- MiniZip project page on GitHub
- zlib's official website: zlib.net

Please remember that MiniZip is not officially supported as part of the zlib product and consider using alternative libraries for handling ZIP files in your zlib-based applications.

Timeline

Published on: 10/14/2023 02:15:09 UTC
Last modified on: 10/20/2023 21:15:09 UTC