Hashcat Heap-Based Buffer Overflow Vulnerability in PKZIP Hash Parser Allowing Denial-of-Service or Arbitrary Code Execution

A heap-based buffer overflow vulnerability has been identified in the PKZIP hash parser of Hashcat version 7.1.2. This vulnerability allows an attacker to cause a denial-of-service or potentially execute arbitrary code by using a crafted PKZIP hash file. The issue arises in modules 17200, 17210, 17220, 17225, and 17230. The vulnerability occurs when the data_type_enum is less than or equal to 1, as the hex data from the user-supplied hash string is decoded into a fixed-size buffer without proper validation of the input length.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, where the attacker-controlled hex data overwrites adjacent memory. This type of overflow can often be exploited to execute arbitrary code.

Reproduction

To reproduce this vulnerability, create a PKZIP hash file with the data_type set to 1 and an oversized hex data field. When this crafted hash file is processed by Hashcat in one of the affected modules, the parser will skip the necessary length checks and decode the hex data into a fixed-size buffer, causing a heap-based buffer overflow.

Remediation

Users can upgrade to Hashcat version 7.1.3 or later, where this vulnerability has been addressed.