CVE-2020-28963
Description
A buffer overflow in the decompress function of ZIP Password Recovery v3.70.69.0 allows local attackers to overwrite process registers and elevate privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in the decompress function of ZIP Password Recovery v3.70.69.0 allows local attackers to overwrite process registers and elevate privileges.
Vulnerability
A buffer overflow vulnerability exists in the decompress function of Passcovery Co. Ltd ZIP Password Recovery software, version 3.70.69.0 (Windows x64) [1]. The issue is triggered when the software processes a specially crafted ZIP archive, leading to an uncaught exception that can be leveraged to overwrite local process registers [1].
Exploitation
An attacker needs local access to the target system with restricted (user-level) authentication [1]. No user interaction is required beyond opening the malicious archive in the vulnerable software [1]. The attacker crafts a ZIP file that, when processed by the decompress function, causes a buffer overflow, overwriting register values and triggering the uncaught exception [1].
Impact
Successful exploitation allows the attacker to compromise the local software process and potentially elevate privileges on the system [1]. The overflow can alter the execution flow, enabling arbitrary code execution at the privilege level of the running process [1].
Mitigation
As of the public disclosure on 2020-06-23, no official patch or fixed version has been released by the vendor [1]. Users are advised to avoid processing untrusted ZIP archives with this software until a fix is available [1]. The vendor, Passcovery Co. Ltd, has not announced an end-of-life date for this version [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Passcovery Co. Ltd/ZIP Password Recoverydescription
- Range: = 3.70.69.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds checking on input fields when parsing a .kpr project file allows overwriting stack buffers in the decompress function."
Attack vector
A low-privileged local user crafts a malicious .kpr project file containing oversized values in fields such as EncryptedFile, CurrentPass, CharsSLatin, CharsCLatin, CharsSpace, CharsDigits, CharsSymbols, CharsCustom, Charset, RecoveryType, MinPassLen, MaskChar, and Mask — each padded with 1024 'A' characters [ref_id=1]. When the victim opens the file in ZIP Password Recovery v3.70.69.0, the decompress function (or the start-by/start-import code path) copies these oversized fields into fixed-size buffers without length validation, overwriting local process registers and Structured Exception Handler (SEH) records [ref_id=1]. The crash logs show exception code c0000005 (access violation) and the SEH chain includes modules with SafeSEH disabled (e.g., KLPassRec.exe, UnAceV2.Dll, UNZIP32.DLL), making it possible for an attacker to hijack control flow and execute arbitrary shellcode [ref_id=1].
Affected code
The advisory identifies three vulnerable code paths: the decompress(file/path) function, the start by (input|length) routine, and the start import of .kpr files [ref_id=1]. The vulnerable binary is KLPassRec.exe (v3.70.69.0) and the supporting DLLs UnAceV2.DLL and UNZIP32.DLL, all compiled with SafeSEH disabled [ref_id=1].
What the fix does
No patch is provided in the advisory [ref_id=1]. The vendor has not released a fixed version addressing the buffer overflow. Remediation would require the developer to implement input length validation on all .kpr file fields before copying them into stack buffers, and to enable SafeSEH on all modules to prevent SEH-based code execution.
Preconditions
- authAttacker needs only low-privileged user account on the local Windows system.
- inputVictim must open a crafted .kpr project file supplied by the attacker.
- configThe target executable (KLPassRec.exe) and its helper DLLs are compiled with SafeSEH disabled, enabling SEH-based exploitation.
Reproduction
1. Run the provided Perl script to generate bof_poc.kpr, which writes oversized 'A' strings into multiple .kpr fields (EncryptedFile, CurrentPass, CharsSLatin, etc.) [ref_id=1]. 2. Open bof_poc.kpr in KRyLack ZIP Password Recovery v3.70.69.0 on a Windows x64 system. 3. Observe the application crash (APPCRASH or BEX event) with exception code c0000005 and register overwrite (e.g., eax=41414141) [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.vulnerability-lab.com/get_content.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.