NanaZip Heap Out-of-Bounds Write Vulnerability in UFS Filesystem Image Parser

A heap out-of-bounds write vulnerability has been identified in NanaZip versions 5.0.1250.0 prior to 6.0.1698.0. This vulnerability occurs in the UFS/UFS2 filesystem image parser when a crafted UFS image is opened. The flaw allows an attacker to manipulate the byte offset of the write within a approximately 254-byte window beyond the heap allocation boundary, leading to potential heap corruption.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, which can corrupt heap metadata and result in a crash of the application. This disruption occurs after the heap corruption, creating a denial-of-service condition. Additionally, on the Windows NT heap, such an out-of-bounds write could be leveraged to overwrite crucial heap management data, potentially allowing for more severe exploitation.

Reproduction

To reproduce this vulnerability, create a UFS1 filesystem image that includes a directory entry designed to trigger the out-of-bounds write. This entry should be placed at a specific offset to maximize the exploitation window. Once the image is prepared, it can be opened with NanaZip, which will automatically detect the UFS format and execute the vulnerable parsing code.

Remediation

Users can upgrade to NanaZip version 6.0.1698.0 or later, where this vulnerability has been fixed.