The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vendor ISO Image Directory Traversal
------------------------------------------------------------------------
SUMMARY
" <http://www.winiso.com/> WinISO is a CD-ROM image file utility that can
convert BIN to ISO, extract/edit/create ISO files directly, make bootable
CDs and as a BIN/ISO converter/extractor/editor."
" <http://www.poweriso.com/> PowerISO is a powerful CD/DVD image file
processing tool, which allows you to open, extract, create, edit,
compress, encrypt, split and convert ISO files, and mount these files with
internal virtual drive. It can process almost all CD-ROM image files
including ISO and BIN."
" <http://www.magiciso.com/> MagicISO is a powerful and easy CD/DVD image
file edit tool. "
" <http://www.ezbsystems.com/ultraiso/> UltraISO is an ISO CD/DVD image
file creating/editing/converting tool and a bootable CD/DVD maker , it can
directly edit the CD/DVD image file and extract files and folders from it,
as well as directly make ISO files from your CD/DVD-ROM or hard disk."
Improper handling of chroot directories with ISO file handling within
WinISO, UltraISO, Magic ISO and PowerISO allow attackers to cause a
directory traversal.
DETAILS
Vulnerable Systems:
* WinISO 5.3
* UltraISO V8.0.0.1392
* Magic ISO 5.0 Build 0166
* PowerISO v2.9
The vulnerability is caused due to an input validation error when
extracting an ISO archive. This makes it possible to have files extracted
to arbitrary locations outside the specified directory using the "../"
directory traversal sequence.
Proof of Concept:
http://secway.org/exploit/PoC.iso.bin
Rename the PoC.iso.bin to Poc.iso, Extracting the PoC.iso from C driver
will write a "POC" file in your startup folder.
Vendor Status:
Please check the vendor's website for update.
PowerISO:
"We will fixed this bug in the next released version. In the version, we
will check file name before extract. If such file is detected, the path
name will be removed from the file name, and the program will allow user
to choose whether this file can be extracted"
UltraISO:
"Thanks for your message and the sample ISO image.
We will check it and try to fix any bugs related to this issue soon."
MagicISO:
"...we confirm this problem. Thank you for your report and sorry for our
mistake. We will fix this problem in next build asap."
WinISO:
Cannot be reached because of their Mail SYSTEM problems,I have tried GMAIL
and Hotmail over 10 times:
"Delivery to the following recipient failed permanently:
support@winiso.com"
"Delivery to the following recipient failed permanently:
info@winiso.com"
Disclosure Timeline:
2006.04.18 4 Vendors notified via support@xxxxx.com
2006.04.18 3 of 4 Vendors responded
2006.04.28 Advisory released
ADDITIONAL INFORMATION
The information has been provided by <mailto:smaillist@gmail.com> Sowhat.
The original article can be found at:
<http://secway.org/advisory/AD20060428.txt>
http://secway.org/advisory/AD20060428.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
