Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Buffer-overflow and directory traversal bugs in Virtoo

from [Luigi Auriemma] Network Security [Permanent Link]
Subject: [Full-disclosure] Buffer-overflow and directory traversal bugs in Virtools Web Player 3.0.0.100
Date: Fri, 30 Sep 2005 20:56:05 +0200 

#######################################################################

                             Luigi Auriemma

Application:  Virtools Web Player and probably also other applications
              which can read the Virtools files but I can't test
              http://www.virtools.com
Versions:     <= 3.0.0.100
Platforms:    Windows (seems also Mac is supported)
Bugs:         A] buffer-overflow
              B] directory traversal
Exploitation: remote/local
Date:         30 Sep 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Virtools is a set of applications for creating games, demos, CAD,
simulations and other multimedia stuff.
Virtools Web Player is the program which allows the usage of these
creations from the net through its implementation in the web browser.


#######################################################################

=======
2) Bugs
=======


Other than the scripts the Virtools packages (for example those with
extension VMO) contain also some additional files like mp3, wav, images
and so on which are extracted in a temporary folder in the system temp
directory like, for example, c:\windows\temp\VTmp26453


------------------
A] buffer-overflow
------------------

Exists a buffer-overflow bug which happens during the handling of the
names of the files contained in the Virtools packages.
A filename of at least 262 bytes overwrites the EIP register allowing
possible execution of malicious code.


----------------------
B] directory traversal
----------------------

As previously said the files are stored in a temporary directory and if
already exist files with the same names they are fully overwritten.
The problem here is that there are no checks on the filenames so the
usage of the classical "..\" patterns allows an attacker to overwrite
any file in the disk where is located the system temp folder (usually
c:\).


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/virtbugs.zip


#######################################################################

======
4) Fix
======


Version 3.0.0.101


#######################################################################


--- 
Luigi Auriemma 
http://aluigi.altervista.org 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Buffer-overflow and directory traversal bugs in Virtools Web Player 3.0.0.100, Luigi Auriemma <=
Previous by Date:  Re: Serendipity: Account Hijacking / CSRF Vulnerability, kreon
Next by Date:  Re: PocketPC exploitation, Joel Maslak
Previous by Thread:  Multiple vulnerabilities in Merak Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, ss_contacts
Next by Thread:  Citrix Metaframe Presentation Server bypassing policies, gustavog
Indexes:  [Date] [Thread] [Top] [All Lists]