Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

X-Diesel Unreal Commander v0.92 (build 573) multiple vulnerabilities

from [Gynvael Coldwind] Network Security [Permanent Link]
Subject: X-Diesel Unreal Commander v0.92 (build 573) multiple vulnerabilities
Date: Thu, 23 Aug 2007 13:39:44 +0200 
HISPASEC
Security Advisory
http://blog.hispasec.com/lab/

Name         : X-Diesel Unreal Commander v0.92 (build 573) multiple
vulnerabilities
Class        : Local/Remote multiple directory traversal (Input
Validation Error)
Threat level : HIGH
Discovered   : 2007-08-09
Published    : 2007-08-23
Credit       : Gynvael Coldwind
Vulnerable   : 0.92 (build 573), 0.92 (build 565), prior also may be affected


== Abstract ==

Unreal Commander is an award winning freeware file manager for Windows
98/ME/2000/XP/2003/Vista. The application support multiple archive
formats, has a built-in ftp client, and other features.

Unreal Commander fails to check user-supplied input while processing
ZIP and RAR archives. A malformed ZIP or RAR file can be used to
perform a directory traversal attack and place malware files in a
location selected by the attacker. Successful exploitation can lead to
a full compromitation of the system.


== Details ==

1. ZIP directory traversal
The file name in a ZIP archive in the central directory can be
malformed so that it contains upwards directory traversal, for
example:

Something/../../../../../../Program Files/Something/ws2_32.dll

If the user upacks such an archive, the Unreal Commander will create
the file ws2_32.dll in the specified directory, instead of the
directory where the user wants to extract it. This may lead to system
compromitation, especially if the user executes Unreal Commander with
admin privileges.

PoC: http://blog.hispasec.com/lab/files/UnrealCommander_PoC_traversal.zip


2. ZIP name spoofing
A ZIP archive contains two places where a file's name is written:
Local file header and Central Directory. Unreal Commander displays the
file name according to the Central Directory, but extracts the file
with the name from the Local File Header. This is may misinform the
user about the files contained in the archive. This can help an
attacker to trick the user into extracting a dangerous file (for
example, an .ani file on an unpacked Windows).

PoC: http://blog.hispasec.com/lab/files/UnrealCommander_PoC_spoof.zip


3. ZIP file size heap information leak
If the ZIP has a malformed file size in the file header, then Unreal
Commander writes to the file data from the heap. This could allow
potential information leak (ftp passwords ?), but this has not been
confirmed.


4. RAR directory traversal
Like point 1, but regarding to RAR format.


== Vendor status and solution ==

The vendor has been informed, but has not yet released a proper patch.

The solution is to check if a RAR or ZIP file contains ".." in the
names of the files in the archives. It is also advised not to run
Unreal Commander with administrative privileges.


== Disclaimer ==
This document and all the information it contains is provided "as is",
without any warranty. Hispasec Sistemas is not responsible for the
misuse of the information provided in this advisory. The advisory is
provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.

Copyright (C) 2007 Hispasec Sistemas.

--
Gynvael Coldwind
mailto: gynvael@vexillium.org
mailto: michael@hispasec.com
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • X-Diesel Unreal Commander v0.92 (build 573) multiple vulnerabilities, Gynvael Coldwind <=
Previous by Date:  Re: TeamSpeak 2 Server Vulnerabilities?, 3APA3A
Next by Date:  Re: VMWare poor guest isolation design, Arthur Corliss
Previous by Thread:  SPIP v1.7 Remote File Inclusion Bug, system-errrror
Next by Thread:  [ MDKSA-2007:170 ] - Updated gimp packages fix input data validation issues in several plugins, security
Indexes:  [Date] [Thread] [Top] [All Lists]