CVE-2010-5274

Vulnerability

PKZIP versions prior to 12.50.0014 (v12 Maintenance Release 5) contain an untrusted search path vulnerability. The application loads the dwmapi.dll library from the current working directory instead of a secure system path. This affects all users of PKZIP for Desktop v12.2 and later, as well as SecureZIP for Desktop versions. The flaw is triggered when a user opens a .zip file from a directory containing a malicious DLL [1].

Exploitation

An attacker with the ability to place a malicious dwmapi.dll file in a directory (e.g., via a download or removable media) can exploit this by convincing a target user to open a .zip file from that location. The attacker does not require elevated privileges; only local user access and the ability to write files to the target directory are needed. When PKZIP launches and processes the archive, it loads the attacker-controlled DLL instead of the legitimate system library, executing arbitrary code in the context of the user [1].

Impact

Successful exploitation allows the attacker to achieve arbitrary code execution under the privileges of the logged-on user. This can lead to full system compromise, data exfiltration, or installation of persistent malware. The vulnerability is locally exploitable but does not require administrative rights to trigger [1].

Mitigation

The vulnerability is fixed in PKZIP version 12.50.0014 (v12 Maintenance Release 5), available from the vendor's support portal. Users on version 12.2 or later should apply this update. For older versions (9.x or earlier), a new license key is required. The vulnerability is not listed on the CISA KEV as of 2024-07-06. No workaround is documented other than upgrading [1].