CVE-2018-16518 in Zed! FREE
Summary
by MITRE
A directory traversal vulnerability with remote code execution in Prim'X Zed! FREE through 1.0 build 186 and Zed! Limited Edition through 6.1 build 2208 allows creation of arbitrary files on a user's workstation using crafted ZED! containers because the watermark loading function can place an executable file into a Startup folder.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2020
This vulnerability exists within the Prim'X Zed container files. The vulnerability stems from improper validation of file paths during the watermark loading process, allowing attackers to craft malicious container files that can place executable payloads into the user's Windows Startup folder. This directory traversal mechanism operates by exploiting insufficient input sanitization in the software's file handling routines, specifically when processing watermark files that are embedded within the container format.
The technical implementation of this vulnerability leverages the software's failure to properly validate file paths during the watermark loading function, which is a classic example of CWE-22 Directory Traversal vulnerability. When the software processes a crafted ZED! container, it fails to sanitize the watermark file paths, allowing an attacker to inject malicious files with arbitrary paths that can traverse the directory structure. The exploitation occurs because the application does not properly validate or restrict the file paths that can be specified within the container, enabling attackers to specify paths that point to system directories such as the Windows Startup folder. This particular flaw operates at the application layer and requires no special privileges to exploit, making it particularly dangerous as it can be triggered through user interaction with maliciously crafted container files.
The operational impact of this vulnerability is significant as it enables persistent malware deployment on target workstations. When an attacker successfully exploits this vulnerability, they can place executable files into the Windows Startup folder, which ensures that the malicious payload will execute automatically every time a user logs into the system. This creates a persistent threat that can survive system reboots and provides attackers with a foothold for further compromise. The vulnerability can be exploited remotely through the delivery of malicious ZED! containers via email attachments, web downloads, or other social engineering techniques, making it particularly dangerous in enterprise environments where users may inadvertently download and open compromised files. The remote code execution capability allows attackers to establish backdoors, steal credentials, or deploy additional malware, while the automatic startup mechanism ensures long-term persistence without requiring additional user interaction.
Mitigation strategies for this vulnerability should focus on immediate software updates and user education. Organizations should prioritize updating to the latest versions of Prim'X Zed containers to end users, while endpoint protection solutions should be configured to monitor for suspicious file creation activities in Windows Startup folders. Users should be educated about the dangers of opening unknown or untrusted container files, and security awareness training should emphasize the risks associated with downloading and executing files from unverified sources. The vulnerability also aligns with ATT&CK technique T1059.001 Command and Scripting Interpreter and T1068 Exploitation for Privilege Escalation, as it enables attackers to execute arbitrary code with user privileges and establish persistence through legitimate system startup mechanisms.