Flaw found in Lhasa makes for compression confession depression
Don't be a .LZA-boy – patch and consider where you decompress
Cisco's Talos team has found a vulnerability in the Lhasa LZH/LHA decompression tool and library, and it's a nasty one because it means the decompression process gives attackers the chance to put whatever code they want on your machine.
The problem is an integer underflow.
“The software verifies that header values are not too large, but does not check for a too small header length,” writes Talos chap Marcin Noga. “Decompressing a LHA or LZH file containing an under-value header size leads to the decompression software allocating a pointer to point to released memory on the heap. An attacker controlling the length and content of such a file can use the vulnerability to overwrite the heap with arbitrary code.”
Noga reckons the first thing bad guys would do with this flaw is put something horrid in a compressed file in the hope you open it and end up with something nasty on your machine. He's also worried that this could become an espionage tool, because the tool is used in roles where users never see it, like decompressing email attachments. If the flaw means code runs somewhere like an email server, it could read the contents of files and exfiltrate them and users who are ignorant of attachments being compressed to start with will never suspect anything is amiss.
The Lhasa GitHub repository looks to have updated to address the problem a couple of weeks ago. ®