Vulnerability discovered by Marcin Noga of Cisco Talos.

Talos is disclosing the discovery of vulnerability TALOS-2016-0095 / CVE-2016-2347 in the Lhasa LZH/LHA decompression tool and library. This vulnerability is due to an integer underflow condition. The software verifies that header values are not too large, but does not check for a too small header length. Decompressing a LHA or LZH file containing an under-value header size leads to the decompression software allocating a pointer to point to released memory on the heap. An attacker controlling the length and content of such a file can use the vulnerability to overwrite the heap with arbitrary code.

An evident attack vector is to trick users into opening malicious files and exploiting the vulnerability to execute malicious code on the user’s device. An alternative, and less obvious vector is to exploit file scanning systems that use the Lhasa library to read the contents of LZH and LHA files. Supporting the ability to scan less commonly used file formats is often required of systems that scan incoming email attachments, files downloaded over the internet etc. Frequently these scanning systems use standard open-source libraries to parse and extract the contents of these files. The opening and scanning of files in these formats does not require user interaction and is often overlooked as a means by which malicious adversaries can execute code remotely. Vulnerabilities similar to this may be a means by which security controls are circumvented to gain access to organisations’ systems.

Users should not overlook their possible exposure to vulnerabilities such as these through the inclusion of vulnerable libraries in third party systems.

Snort rules: 37493, 37494

ClamAV: BC.Unix.Exploit.Agent

FireAMP: Unix.Exploit.Agent

For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or  Due to the nature of this vulnerability at this point in time web and email coverage is provided by AMP.