The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
iso_wincmd Plugin for Total Commander Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
A vulnerability has been found in
<http://www.totalcmd.net/plugring/iso.html> iso_wincmd Total Commander
Plugin. When exploited, the vulnerability allows execution of arbitrary
code when the user opens a malicious ISO file.
DETAILS
Vulnerable Systems:
* iso_wincmd version 1.7.3.3 (1.7.3 Beta 3)
* iso_wincmd version 1.6.10
This advisory discloses a buffer overflow vulnerability in iso_wincmd. The
stack-based buffer overflow occurs when the plugin is constructing the
full pathname of a file within an ISO image. This can be exploited to
cause a stack-based buffer overflow and allows execution of arbitrary
code.
In order to exploit this vulnerability successfully, the user must be
convinced to open a malicious ISO image file using this plugin in Total
Commander.
The buffer overflow occurs within the LoadTree() and ReadHeader()
functions. The LoadTree() and ReadHeader() functions contruct the full
pathname of each file in the ISO image by reading the directory entries
within the ISO file. The directory name that is read from each directory
entry is concatenated together using lstrcatA(), and finally with the
filename. Subsequently, the constructed full pathname is copied into a
fixed-length stack buffer using the unsafe lstrcpyA() function.
The length of each directory name is limited by the ISO format. However,
it is possible create an ISO image that contains a file nested within
several level of directories. This will create a full pathname that
overflows the stack buffer, thus allowing the saved EIP and SEH handler to
be overwritten.
Suggested Fixes:
Below are the suggested fixes for the vulnerability. You should thoroughly
test the fixes to ensure that they do not break any functionality before
using it. The suggested fixes should be used only as a temporary measure
until the vendor releases a complete fix.
NOTE: These suggested fixes are based on source code version 1.7.3.3
(1.7.3 beta 3).
1) Fix for ReadHeader() function
Locate the following line (in red) within the ReadHeader(HANDLE hArcData,
tHeaderData* HeaderData) function in iso_wincmd.cpp for version 1.7.3.3
(1.7.3 beta 3).
Directory* directory = image->DirectoryList + image->Index;
lstrcpy( HeaderData->FileName, directory->FilePath );
Replace the line in red (above) with the 4 lines of code in red shown
below.
Directory* directory = image->DirectoryList + image->Index;
if(lstrlen(directory->FilePath)+1 > sizeof(HeaderData->FileName))
return E_BAD_ARCHIVE;
else
lstrcpy( HeaderData->FileName, directory->FilePath );
2) First Fix for LoadTree() function
Locate the following line (in red) within the LoadTree() function in
iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).
if( codepage == CP_UTF8 )
lstrcpyn( directory.FileName, (char*)record->FileIdentifier,
record->LengthOfFileIdentifier + 1 );
if( lstrrchr( directory.FileName, ';' ) )
*lstrrchr( directory.FileName, ';' ) = 0;
lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), (path[0]) ? "\\" :
"" ), directory.FileName );
if( dirs )
(*dirs)[*count] = directory;
(*count)++;
Replace the lines in red (above) with the modified code in red shown
below.
if( codepage == CP_UTF8 )
lstrcpyn( directory.FileName, (char*)record->FileIdentifier,
sizeof(directory.FileName) );
if( lstrrchr( directory.FileName, ';' ) )
*lstrrchr( directory.FileName, ';' ) = 0;
if( (lstrlen(path) + lstrlen(directory.FileName) + 2) >
sizeof(directory.FilePath) )
{
free( data );
return false;
}
lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), (path[0]) ? "\\" :
"" ), directory.FileName );
if( dirs )
(*dirs)[*count] = directory;
(*count)++;
3) Second Fix for LoadTree() function
Locate the following line (in red) within the LoadTree() function in
iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).
lstrcpyn( directory.FileName, (char*)record->FileIdentifier,
min(record->LengthOfFileIdentifier + 1, sizeof(directory.FileName)));
if( lstrrchr( directory.FileName, ';' ) )
*lstrrchr( directory.FileName, ';' ) = 0;
lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), path[0] ? "\\" : ""
), directory.FileName );
if( dirs )
(*dirs)[*count] = directory;
(*count)++;
Replace the line in red (above) with the modified code in red shown below.
lstrcpyn( directory.FileName, (char*)record->FileIdentifier,
min(record->LengthOfFileIdentifier + 1, sizeof(directory.FileName)));
if( lstrrchr( directory.FileName, ';' ) )
*lstrrchr( directory.FileName, ';' ) = 0;
if( (lstrlen(path) + lstrlen(directory.FileName) + 2) >
sizeof(directory.FilePath) )
{
free( data );
return false;
}
lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), path[0] ? "\\" : ""
), directory.FileName );
if( dirs )
(*dirs)[*count] = directory;
(*count)++;
4) Third Fix for LoadTree() function
Locate the following lines (in red) within the LoadTree() function in
iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).
if( dirs )
{
Directory* dir = (*dirs) + (*count);
ZeroMemory( dir, sizeof( *dir ) );
dir->VolumeDescriptor = desc;
if( lstrlen( path ) )
{
lstrcpy( dir->FilePath, lstrcpy( dir->FileName, path ) );
lstrcat( dir->FilePath, "\\" );
lstrcat( dir->FileName, "\\" );
}
const char* boot_images = "boot.images";
lstrcat( dir->FilePath, boot_images );
lstrcat( dir->FileName, boot_images );
dir->Record.FileFlags = FATTR_DIRECTORY | FATTR_HIDDEN;
}
(*count)++;
Replace the lines in red (above) with the modified code in red shown
below.
if( dirs )
{
Directory* dir = (*dirs) + (*count);
ZeroMemory( dir, sizeof( *dir ) );
dir->VolumeDescriptor = desc;
if( lstrlen( path ) )
{
lstrcpyn( dir->FilePath, lstrcpyn( dir->FileName, path,
sizeof(dir->FileName)-1 ),
sizeof(dir->FilePath)-1 );
lstrcat( dir->FilePath, "\\" );
lstrcat( dir->FileName, "\\" );
}
const char* boot_images = "boot.images";
if( (lstrlen(dir->FilePath) + lstrlen(boot_images) + 1 >
sizeof(dir->FilePath)) ||
(lstrlen(dir->FileName) + lstrlen(boot_images) + 1 >
sizeof(dir->FileName)) )
{
free(data);
return false;
}
lstrcat( dir->FilePath, boot_images );
lstrcat( dir->FileName, boot_images );
dir->Record.FileFlags = FATTR_DIRECTORY | FATTR_HIDDEN;
}
(*count)++;
5) Fourth Fix for LoadTree() function
Locate the following lines (in red) within the LoadTree() function in
iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).
if( lstrlen( path ) )
lstrcat( lstrcat( lstrcpy( dir->FilePath, path ), "\\boot.images\\" ),
dir->FileName );
else
lstrcat( lstrcpy( dir->FilePath, "boot.images\\" ), dir->FileName );
dir->Record.LocationOfExtent = BootEntry->Entry.LoadRBA;
dir->VolumeDescriptor = desc;
Replace the lines in red (above) with the modified code in red shown
below.
if( lstrlen( path ) )
{
if(lstrlen(path) + lstrlen("\\boot.images\\") + lstrlen(dir->FileName) +
1 >
sizeof(dir->FilePath))
{
free( data );
return false;
}
lstrcat( lstrcat( lstrcpy( dir->FilePath, path ), "\\boot.images\\" ),
dir->FileName );
}
else
lstrcat( lstrcpy( dir->FilePath, "boot.images\\" ), dir->FileName );
dir->Record.LocationOfExtent = BootEntry->Entry.LoadRBA;
dir->VolumeDescriptor = desc;
6) Fix for LoadXBOXTree() function
Locate the following line (in red) within the LoadXBOXTree() function in
iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).
directory.XBOXRecord = *record;
directory.VolumeDescriptor = desc;
lstrcpyn( directory.FileName, (char*)record->FileIdentifier,
min(record->LengthOfFileIdentifier + 1,
sizeof(directory.FileName)));
lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), path[0] ? "\\" : ""
), directory.FileName );
if( dirs )
(*dirs)[*count] = directory;
(*count)++;
Replace the line in red (above) with the modified code in red shown below.
directory.XBOXRecord = *record;
directory.VolumeDescriptor = desc;
lstrcpyn( directory.FileName, (char*)record->FileIdentifier,
min(record->LengthOfFileIdentifier + 1,
sizeof(directory.FileName)));
if( (lstrlen(path) + lstrlen(directory.FileName) + 2) >
sizeof(directory.FilePath) )
{
free( data );
free( stack );
return false;
}
lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), path[0] ? "\\" : ""
), directory.FileName );
if( dirs )
(*dirs)[*count] = directory;
(*count)++;
Disclosure Timeline:
2006-12-18 - Vulnerability Discovered.
2006-12-19 - Initial Vendor Notification (email).
2006-12-20 - Second Vendor Notification (email).
2006-12-22 - Third Vendor Notification (ICQ).
2006-12-27 - Initial Vendor Reply. (fixed version will be released in end
January)
2006-12-30 - Public Release.
ADDITIONAL INFORMATION
The information has been provided by <mailto:vulnpost-remove@vuln.sg> Tan
Chew Keong.
The original article can be found at:
<http://vuln.sg/isowincmd173-en.html> http://vuln.sg/isowincmd173-en.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
