Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] WinISO/UltraISO/MagicISO/PowerISO Directory Traversal

from [Sowhat] Network Security [Permanent Link]
Subject: [Full-disclosure] WinISO/UltraISO/MagicISO/PowerISO Directory Traversal Vulnerability
Date: Fri, 28 Apr 2006 11:17:59 +0800 
WinISO/UltraISO/MagicISO/PowerISO Directory Traversal Vulnerability


By Sowhat of Nevis Labs
Date: 2006.04.28

http://www.nevisnetworks.com
http://secway.org/advisory/AD20060428.txt


CVE: N/A

Vendor

WinISO Computing Inc.
EZB Systems, Inc.
MagicISO  Inc.
PowerISO Computing, Inc.



Affected Software

WinISO 5.3
UltraISO V8.0.0.1392
Magic ISO 5.0 Build 0166
PowerISO v2.9


Rating: Moderately critical ( 4 * Less Critical :)


Overview:

WinISO/UltraISO/PowerISO/MagicISO are the 4 most popular software to edit
BIN/ISO or almost all images file(s) directly! It can process almost all
CD-ROM image file(s) including ISO and BINs.


There is a vulnerability exists in WinISO and UltraISO, which
potentially can be exploited by malicious people to compromise a
user's system.



Description:

The vulnerability is caused due to an input validation error when
extracting an ISO archive. This makes it possible to have files
extracted to arbitrary locations outside the specified directory
using the "../" directory traversal sequence.

The vulnerability has been confirmed in version WinISO 5.3,UltraISO V8.0.0.1392,
PowerISO v2.9,Magic ISO 5.0 Build 0166

Other versions may also be affected.



POC:

http://secway.org/exploit/PoC.iso.bin

Rename the PoC.iso.bin to Poc.iso,
Extracting the PoC.iso from C driver will write a "POC" file in your
startup folder.


FIX:

Please check the vendor's website for update.

PowerISO:
"We will fixed this bug in the next released version. In the version,
we will check file name before extract. If such file is detected,
the path name will be removed from the file name, and the program
will allow user to choose whether this file can be extracted"

"Following is the registration code for you as our gift. We think this
may let you to use all features of PowerISO.

User Name         : Sowhat
Registration Code : ........"

When will Microsoft give a Windows XP license for the researchers who
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
reported a critical MS bugz for gift? :)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

UltraISO:
"Thanks for your message and the sample ISO image.

We will check it and try to fix any bugs related to this issue soon."

UltraISO fixed this vulnerability in 1 hour, but they didnt release a new
version, because
"In general, we do not change version number for minor changes. This bug
fix will be included in next file update soon."


MagicISO:
"Oops. Yes, we confirm this problem. Thank you for your report and sorry for
our mistake. We will fix this problem in next build asap."

WinISO:

Cannot be reached because of their Mail SYSTEM problems,I have tried GMAIL
and Hotmail over 10 times,

"Delivery to the following recipient failed permanently:

   support@winiso.com"

"Delivery to the following recipient failed permanently:

   info@winiso.com"


Vendor Response:

2006.04.18 4 Vendors notified via support@xxxxx.com
2006.04.18 3 of 4 Vendors responded
2006.04.28 Advisory released




--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] WinISO/UltraISO/MagicISO/PowerISO Directory Traversal Vulnerability, Sowhat <=
Previous by Date:  Re: Instant Photo Gallery <= Multiple XSS, Steven M. Christey
Next by Date:  BL4's SMTP server BufferOverflow Vulnerable, the_day
Previous by Thread:  [Full-disclosure] [USN-275-1] Mozilla vulnerabilities, Martin Pitt
Next by Thread:  BL4's SMTP server BufferOverflow Vulnerable, the_day
Indexes:  [Date] [Thread] [Top] [All Lists]