Published:2012/11/07  Last Updated:2012/11/07

JVN#18223913
BeZIP vulnerable to directory traversal

Overview

BeZIP contains a directory traversal vulnerability.

Products Affected

  • BeZIP prior to V3.10

Description

BeZIP provided by Be Graph Co.,Ltd. is a file compression/extraction software supporting ZIP and LZH formats. BeZIP contains a directory traversal vulnerability.

Impact

An arbitrary file may be created or altered when extracting a specially crafted file.

Solution

Update the software
Update to the latest version according to the information provided by the developer.

Apply a workaround
By applying the following workaround, BeZIP will display the confirmation dialog when extracting a file with the same name.

  • Disable the following option in [File]-[Options]-[Extract] tab.
    • Files of same name will always overwrite.
For more information, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Be Graph Co.,Ltd. Vulnerable 2012/11/07 Be Graph Co.,Ltd. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2012.11.07

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Mid
Exploit Complexity some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Mid-High

Description of each analysis measures

Credit

Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2012-5171
JVN iPedia JVNDB-2012-000101