Critical Zlib Flaw: Attackers Trigger Buffer Overflow
A severe global buffer overflow vulnerability has emerged in the zlib untgz utility, specifically version 1.3.1.2. Attackers can exploit this flaw to corrupt memory and potentially execute malicious...
A severe global buffer overflow vulnerability has emerged in the zlib untgz utility, specifically version 1.3.1.2. Attackers can exploit this flaw to corrupt memory and potentially execute malicious code using specially crafted command-line input.
The security flaw resides in the TGZfname() function of the untgz utility, where an unbounded strcpy() call processes user-supplied archive names without any length validation.
The vulnerability occurs when the utility copies attacker-controlled input from the command line into a fixed-size static global buffer of only 1,024 bytes.
Technical Details
The root cause stems from poor input handling: the archive name is derived directly from the argv[] parameters and copied into a global static array without bounds checking.
This overflow occurs immediately upon function entry, before any archive parsing or validation. Making the vulnerability trivially exploitable through command-line arguments alone.
| Attribute | Details |
|---|---|
| CVE ID | Not yet assigned |
| Affected Software | zlib untgz utility |
| Affected Version | v1.3.1.2 |
| Vulnerability Type | Global Buffer Overflow |
| CWE | CWE-120 (Buffer Copy without Checking Size of Input) |
| Attack Vector | Command-line input |
| Impact | Denial of Service, Memory Corruption, Potential Code Execution |
Security researchers demonstrated that supplying an archive name exceeding 1,024 bytes triggers an out-of-bounds write past the buffer’s end, leading to memory corruption.
The potential impacts include denial-of-service crashes, corruption of adjacent global memory objects, and undefined behavior.
More critically, depending on compiler settings, system architecture, build flags, and memory layout, attackers may be able to execute code.
Researchers successfully triggered the vulnerability using AddressSanitizer (ASAN) by invoking untgz with a 4,096-byte filename argument.
The ASAN output confirmed a global buffer overflow caused by a write of 2,001 bytes to the vulnerable memory address.
Because the overflow affects global memory rather than stack memory, the corruption persists beyond the function scope and can influence subsequent program behavior.
The vulnerability requires no special privileges and has low attack complexity, making it particularly dangerous for systems using the affected zlib untgz utility.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.