Though the discovery of Microsoft Officezero-day exploits has dropped dramatically in the last six months, newfile format exploits are still being discovered (and exploited)regularly. After .zip and .rar file exploits, the latest archive formatvulnerability affects the Lhaca archiver and its LZH compressionsupport. While not very well known in the US and Europe, Lhaca appearsto be a popular archive tool in Japan, as is the compression format LZH.
On Friday, June 22nd, one of our Japanese customers submitted an.lzh file. The file in question, after quick analysis, raised immediatesuspicion. It contained several NOP-sleds, shell code-like code blocks,decryptors, and an encoded executable in the archive itself! All theingredients required by file format exploit recipes. The difficulty inthis case is finding the application that could be vulnerable. Cheersto Masaki Suenaga in Security Response, Japan for doing the initialanalysis and finding out that Lhaca version 1.20 (at least) is vulnerable.
The vulnerability lies in a call to strcpy() with improper stringlength validation. Critical stack variables can be overwritten, andcontrol is passed to a shell code. Interestingly, it seems the .lzhfile we have contains duplicate code to maximize exploitation chances.According to my tests, it seems the string being copied is a file nameof one of the archived files. I’ll let you draw the obvious conclusion.
The archive itself is detected as Trojan.Lhdropper.If executed properly--on a Japanese version of Windows XP with Lhaca1.20, for instance-- the exploit will drop a back door in the Windows%System% folder. It will also drop a secondary LZH archive and willopen it up after exploitation. This archive contains a clean Ichitarodocument, a format also popular in Japan. Obviously, this trick allowsattackers to keep the user's suspicions low. The same technique is usedby Office exploits, when a clever attacker usually drops and opens aclean Word or Excel document after exploitation.
In this particular scenario, the attack could be consideredregional, since both LZH and Lhaca are only popular in Japan. But inspite of the lack of widespread exploitation, this kind of situationstill occurs every once in a while, just to remind us the email goldenrule always applies: never open strange attachments, either sent byanonymous people and/or with appealing file names.