NanaZip Stack-Based Out-of-Bounds Read Vulnerability in ZealFS Filesystem Image Parser

A stack-based out-of-bounds read vulnerability has been identified in NanaZip versions 5.0.1252.0 prior to 6.0.1698.0. The issue arises in the ZealFS filesystem image parser when handling crafted ZealFS v1 images. An attacker can exploit this vulnerability by manipulating the BitmapSize field in the file header, causing an unbounded loop that reads beyond the end of a stack-allocated header structure. This exploitation leads to a disclosure of adjacent stack memory, which could include sensitive information such as return addresses and canary values.

Impact

Exploitation of this vulnerability allows for a stack-buffer-overflow, causing a crash in AddressSanitizer-instrumented builds. In non-instrumented builds, the overread could cross a stack guard page, also leading to a crash. Additionally, the out-of-bounds read discloses up to 195 bytes of stack memory into the free space calculation, which could be queried to reconstruct individual stack bytes, potentially leaking return addresses or canary values. Such leaked return addresses could bypass Address Space Layout Randomization (ASLR) protections.

Reproduction

The vulnerability can be reproduced by opening a crafted ZealFS v1 filesystem image with NanaZip versions 5.0.1252.0 prior to 6.0.1698.0. The crafted image must have a BitmapSize value greater than 32, which will trigger the out-of-bounds read by causing the parser to read past the end of the stack-allocated header structure.

Remediation

Users can upgrade to NanaZip version 6.0.1698.0 or later, where this vulnerability has been fixed.