StuffIt 6.5.x and Earlier Allows Buffer Overflow

A user writes in that Aladdin Systems has announced that StuffIt, versions 6.5.x and earlier for Mac OS and Mac OS X, "may contain a flaw that would cause expanding certain maliciously crafted .zip archives to execute unwanted instructions or code." Aladdin notes that no such "trojan horses" have been reported. StuffIt Expander 7.0 is, as with previous versions, free to download and use.

Is this really a problem?

[jpt.d]

My first experience with stuffit expander 7 was a very slow one compared to the previous version (that came with Jagwyre). So I downgrades first chance.

You shouldn't be using zip files on mac in general unless it is some sort of code or something. Malicious code would require a specific target platform of the mac to do anything substantial, and being that nobody in their right mind would create zip files for mac, i don't see much problem.

Re:Is this really a problem?

[galaxy300]

Sometimes people do need to transfer files from PC to Mac, and often Zip is the only compression scheme available to those PC users.

Just Use Info-zip For ".zip"s

[cmholm]

For those who don't want to upgrade to Stuffit Extractor 7.0 for whatever reason:

If you're using MacOS 9 or earlier, the potential for buffer overflows is meaningless. It wouldn't be the first time your system bailed, anyway.

For the OS X user, just adjust your browser to make Info-zip the zip file helper, and surf over to Info-zip's site to download the source or binary.

Conspiracy theory

[Swumpy]

Or perhaps Aladdin just wants us to upgrade to Stuffit Expander 7, so they made up a security flaw to push their new "sitx" format...

What about Stuffit Deluxe? I have to upgrade now?

[Benley]

Well, what about those of us who bought Stuffit Deluxe 6.5? What if I bought FIFTY COPIES OF IT (for a lab), and I don't feel like paying for an upgrade to 7.0 yet? Looks like I'm screwed. This is not acceptible behaviour! Even Microsoft doesn't (always) act like this when security holes crop up in the previous version of their product. If Aladdin doesn't offer a patch for 6.5, I will be quite annoyed.

Imagine what would happen if MS stopped fixing security holes in Windows 2000 all of a sudden when Windows XP came out? They would be shot in the street!

Sorry for the sweeping generalization, but this *really* does not please me.

Heh, buffer overflow in Windows's ZIP handling too

[Dahan]

Microsoft copying Apple yet again...

Unchecked Buffer in File Decompression Functions Could Lead to Code Execution (Q329048):

Two vulnerabilities exist in the Compressed Folders function:

• An unchecked buffer exists in the programs that handles the decompressing of files from a zipped file. A security vulnerability results because attempts to open a file with a specially malformed filename contained in a zipped file could possibly result in Windows Explorer failing, or in code of the attacker's choice being run.
• The decompression function could place a file in a directory that was not the same as, or a child of, the target directory specified by the user as where the decompressed zip files should be placed. This could allow an attacker to put a file in a known location on the users system, such as placing a program in a startup directory

Re:Thats pretty good.

[Dahan]

What tune is it sung to and can I get an mp3 of it?

The Terrible Secret of Space, by The Laziest Men on Mars, of course. Even better is the Flash music video.

Stuffit Exploits

[0x0d0a]

I've always had sort of a dim view of StuffIt.

On the one hand, Stuffit has a really incredibly amazingly good interface. You can navigate through a Stuffit archive like the Finder -- it's hierarchical, supports file operations, etc. WinZip, on the other hand, has a truly amazingly awful interface. Whoever decided that it would be a really cool idea to represent files in a flat interface and then throw a big fat toolbar in (I *hate* toolbars...awful UI element) above them should be whacked.

Anyway, the down side of Stuffit is that it is THE Mac file compression format. Compact Pro has unfortunately fallen by the wayside, and even that contender was, amazingly enough, propriatary. Why the hell can't anyone slap together tar + gzip + macbinary for the MacOS with a GUI (or something a smidgen more complicated, fair enough), so that Mac users aren't beholden to the whims of a single company? If Aladdin wanted to, they could charge $200 for their product. Not for long, but it's disgusting that they have no competition.

Stuffit's had a long history of being exploitable. Hand it corrupted resources and try to open the file...it crashes. Create an archive containing tens of thousands of locked invisible files at the root of the archive (actually, I think Stuffit clears the lock bit, though invis is still valid), and watch what happens when a poor user drops the archive on Stuffit Expander.

Re:Stuffit Exploits

[jweatherley]

Don't forget MacOS X has tar and gzip/gunzip available from the command line - OK there's no GUI but it's not that hard. It would be pretty trivial to knock up a GUI anyway - just don't go charging $20 for half an hours work like some OS X chancers do...

Re:Stuffit Exploits

[KH]

There used to be GUI version of tar and gzip for Mac. They may have been called MacTar and Macgzip for an obvious reason :) But they didn't have quite Mac like interface. Should be easier these days with Inteface Builder and command line suites.

Going a little off topic, I'm having hard time stopping StuffIt Expander to expand *.tar.gz archives. I'd rather like to do that by hand from command line. But whatever I may try (using inspector panel, from the IE preferences), when I download a tar.gz file, Expander will automatically expand tar.gz to gz to folder. This is pretty annoying. Does anyone know how to stop this?

Re:Stuffit Exploits

[foyle]

A good alternative to StuffIt for decompressing various Unix archives on OS X is Scott Anguish's most excellent "OpenUp": http://softrak.stepwise.com/display?pkg=790&os =20

Stone Design's "PackUpAndGo" is also an excellent product: http://www.stone.com/PackUpAndGo/PackUpAndGo.html

Re:Stuffit Exploits

[tbmaddux]

Why the hell can't anyone slap together tar + gzip + macbinary for the MacOS with a GUI (or something a smidgen more complicated, fair enough), so that Mac users aren't beholden to the whims of a single company?

Why not just disk images (.dmg files) created by Apple Disk Copy? It's provided with MacOS X, and you can even AES-encrypt your images. You'll still be beholden to the whims of a single company (Apple), but that's unavoidable for Mac users.

Re:Stuffit Exploits

[0x0d0a]

Thats a good partial solution, but it'd be kind of nice to have an open compression format.

For major file formats, it just seems safer to have competing products and a spec out so that more people can make new products. Stuffit is just about the only major-major-major file format on any current platform I know of that's completely closed. Just about every user on the platform runs into Stuffit files, and there's only one commercial product from one company that can create them.

Heck, what if Aladdin started putting adware into Stuffit Expander, or Apple did? They already have "partners" with Sherlock and with default bookmarks...

Re:Stuffit Exploits

[proj_2501]

That's why he said Macbinary. Macbinary has been used for a LONG time to encode resource forks this way.

Non-registration download for Stuffit Expander

[foo12]

Going through Aladdin's web site requires you to fill out a short (marketing) form before downloading Expander. Fortunately, Aladdin also has anonymous ftp access

ftp://ftp.aladdinsys.com/

Re:Non-registration download for Stuffit Expander

[Lars+T.]

No it doesn't require you to fill out the form. At least I didn't and it still worked.

Re:What about Stuffit Deluxe? I have to upgrade no

[tbmaddux]

Imagine what would happen if MS stopped fixing security holes in Windows 2000 all of a sudden when Windows XP came out? They would be shot in the street!

You mean like when they stopped fixing holes in Office 97?

I feel your pain.

Info-zip is already installed

[gidds]

surf over to Info-zip's site to download the source or binary.

Why bother, when it's already installed as part of Mac OS X? There's no manpage, but the executable is /usr/bin/zip (and /usr/bin/unzip). The 10.2.1 version says:

Copyright (C) 1990-1996 Mark Adler, Richard B. Wales, Jean-loup Gailly Onno van der Linden and Kai Uwe Rommel. Type 'zip -L' for the software License.
This is Zip 2.1 (April 27th 1996), by Info-ZIP.
...
Compiled with gcc Apple cpp-precomp 6.14 for Unix (Apple Mac OS X) on 07/14/02.

Re: Ermm... tsarkon you butt fucking camel lick.

[MoneyT]

Now you've done it. He's going to stalk you all over slashdot like he stalks me.

Re:How do buffer underun exploits work?

[GMontag451]

First off, the term is buffer overflow, a buffer underrun happens during burning a CD. They work by writing data past the end of an array (usually a string buffer) literally overflowing the buffer. By writing the right data into the right places, you can replace code that was going to be executed with your own code.