CVE-2009-2261
published 2009-06-30CVE-2009-2261: PeaZIP 2.6.1, 2.5.1, and earlier on Windows allows user-assisted remote attackers to execute arbitrary commands via a .zip archive with a .txt file whose name…
PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.42%
98.5th percentile
PeaZIP 2.6.1, 2.5.1, and earlier on Windows allows user-assisted remote attackers to execute arbitrary commands via a .zip archive with a .txt file whose name contains | (pipe) characters and a command.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| giorgio_tani | peazip | <= 2.5.1 | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
| giorgio_tani | peazip | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect ZIP archives containing filenames with pipe characters (|) adjacent to a .txt extension — the canonical injection pattern for this CVE. ↗
- →The malicious filename inside the ZIP is crafted as: README.TXT followed by space-padding (up to 255 bytes total) then "|<cmd>|.txt" — inspect ZIP central-directory filename fields for this pattern. ↗
- →The exploit pads the filename with 0xDE (222) minus the command length worth of 0x20 (space) bytes to reach the 255-character filename limit — look for ZIP entries with filenames containing long runs of spaces followed by pipe characters. ↗
- →The Metasploit module targets PeaZip versions prior to 2.6.2; flag PeaZip process invocations on Windows where the command line contains pipe-delimited tokens originating from a filename string. ↗
- ·Exploitation requires user interaction: the victim must open the ZIP in PeaZip AND double-click the specially named file inside it. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PeaZIP 2.6.1 - Zip Processing Command Injection (Metasploit)
exploitdb·2010-09-20
CVE-2009-2261 PeaZIP 2.6.1 - Zip Processing Command Injection (Metasploit)
PeaZIP 2.6.1 - Zip Processing Command Injection (Metasploit)
---
##
# $Id: peazip_command_injection.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex/zip'
class Metasploit3 'PeaZip %q{
This module exploits a command injection vulnerability in PeaZip. All
versions prior to 2.6.2 are suspected vulnerable. Testing was conducted with
version 2.6.1 on Windows.
In order for the command to be executed, an attacker must convince someone to
open a specially crafted zip file with PeaZip, and access the specially file vi
Exploit-DB
PeaZIP 2.6.1 - Compressed Filename Command Injection
exploitdb·2009-06-05
CVE-2009-2261 PeaZIP 2.6.1 - Compressed Filename Command Injection
PeaZIP 2.6.1 - Compressed Filename Command Injection
---
> 0x1);
}
function addFile($data, $name, $time = 0)
{
$time= (int) $time;
$name = str_replace('\\', '/', $name);
$dtime = dechex($this->unix2DosTime($time));
$hexdtime = '\x' . $dtime[6] . $dtime[7]
. '\x' . $dtime[4] . $dtime[5]
. '\x' . $dtime[2] . $dtime[3]
. '\x' . $dtime[0] . $dtime[1];
eval('$hexdtime = "' . $hexdtime . '";');
$fr = "\x50\x4b\x03\x04";
$fr .= "\x14\x00"; // ver needed to extract
$fr .= "\x00\x00"; // gen purpose bit flag
$fr .= "\x08\x00"; // compression method
$fr .= $hexdtime; // last mod time and date
// "local file header" segment
$unc_len = strlen($data);
$crc = crc32($data);
$zdata = gzcompress($data);
$zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); // fix crc bug
$c_len = strlen($zdata);
Metasploit
PeaZip Zip Processing Command Injection
metasploit
PeaZip Zip Processing Command Injection
PeaZip Zip Processing Command Injection
This module exploits a command injection vulnerability in PeaZip. All versions prior to 2.6.2 are suspected vulnerable. Testing was conducted with version 2.6.1 on Windows. In order for the command to be executed, an attacker must convince someone to open a specially crafted zip file with PeaZip, and access the specially file via double-clicking it. By doing so, an attacker can execute arbitrary commands as the victim user.
No writeups or analysis indexed.
2009-06-30
Published