ZLib Compression Library Heap Corruption Vulnerability
The 'zlib' compression library is prone to a heap-corruption vulnerability.
Under some circumstances, a block of dynamically allocated memory may have the 'free()' routine called on it twice. This may occur during decompression.
An exploitable condition may result if the 'free()' function is used on memory that has already been freed. Under some circumstances, an attacker may be able to manipulate data layout in the heap so that an arbitrary word in memory is overwritten with a custom value when 'free()' is called for the second time.
Arbitrary code may run if critical values such as function return addresses, GOT entries, etc., are overwritten.
By itself, this condition is not a vulnerability. An attacker must identify a program that is linked to the library or that uses vulnerable code with higher privileges (e.g. installed setuid) or runs on a remote machine. The attacker must also locate a method through which the condition may be triggered (for example, by supplying compressed data as input).
Several programs use 'zlib' or vulnerable code borrowed from the library, including:
SSH / OpenSSH
popt / rpm
the Linux Kernel
Note that a similar vulnerability was reported in LBNL Traceroute. It was generally believed that this condition was not exploitable until proof-of-concept exploits were posted by two independent security researchers.
The FreeS/WAN IPSEC implementation reportedly also includes code from the vulnerable library. However, there are indications that this may not be exploitable in FreeS/WAN IPSEC implementations.
F-Secure SSH is not affected by this vulnerability. Apple Mac OS X is not prone to this issue.
A number of Microsoft Windows applications incorporate code from the zlib library, including Microsoft Office, Internet Explorer, DirectX, Messenger, and Front Page. It is not currently known whether these applications are affected by this issue. If they are affected, the degree of vulnerability has not been determined.
Various VNC viewer implementations may circumstantially be affected by this issue. In particular, a VNC server may be able to exploit this issue to cause a denial of service to a VNC viewer/client. TightVNC and VNCThing are known to use vulnerable versions of the compression library. VNCThing runs on MacOS operating systems and is therefore not exploitable. TridiaVNC, VNC Viewer for Java, and VNC Viewer and Server for Apple Newton are also reportedly affected.
A number of Cisco products include code from the vulnerable compression library and are thus affected by this issue. These products include:
- Cisco Content Engine 507, 560, 590, and 7320 running Cache Software 3.1.1 or Application and Content Networking Software 4.0.x or 4.1.1.
- Cisco Content Router 4430 and Content Distribution Manager 4630 and 4650 running Application and Content Networking Software 4.0.x or 4.1.1.
- Cisco ME1100.
- Cisco IDS sensor appliances IDS-4210, IDS-4220-E and IDS-4230-xx are vulnerable if the sensor version is in the range 3.0(1) through 3.0(5).
- Cisco Metro 1500 DWDM running software releases prior to 3.3b.
- Cisco Hosting Solution Engine releases 1.0 and 1.3.
Versions prior to Nullsoft Winamp 2.79 also ship with the vulnerable compression library.
While this condition may not lead to code execution on FreeBSD operating systems, it may potentially cause a denial of service in applications that use the zlib compression library.
Macromedia Flash 5 is vulnerable to this issue. It is not yet known whether earlier versions are also affected.