SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

WinImage 8.10 vulnerabilities


Arrow  SecurityAlert : 3140
Arrow  CVE : CVE-2007-4962
Arrow  CVE : CVE-2007-4963
Arrow  CVE : CVE-2007-4964
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : No
Arrow  Local Exploit : Yes
Arrow  Exploit Available : Yes
Arrow  Credit : j00ru//vx
Arrow  Published : 19.09.2007

Arrow  Affected Software : WinImage 8.10



Arrow  Advisory Content :  

Team Vexillium
Security Advisory
http://vexillium.org/

Name : WinImage 8.10 Multiple Vulnerabilities
Class : Denial of Service and Directory Traversal
Threat level : LOW (DoS), MED (Dir. traversal vuln)
Discovered : 2007-08-31
Published : 2007-09-15
Credit : j00ru//vx
Vulnerable : WinImage 8.10,
WinImage 8.0,
prior versions may also be affected

== Abstract ==

WinImage is an disc images' exploring application, with many
useful functions implemented, such as injecting/extracting files
from the data images, handling virtual machines' hard drives and so on.

The first vulnerability - Denial of Service - exists in the FAT image
handling function (mainly diskette image files are able to cause this kind

of application hang, but it's also possible that other image formats'
header modification may lead to such kind of program behaviour).
The succesful DoS attack is achieved by opening a special .IMG
file with its header modified. Because of bad FAT header handling,
the application may get into an infinite loop, so that the
only way is to terminate the process.

The second one - Directory Traversal vuln - was reported in .IMG
and .ISO images processing. There is no function to check whether
the filename or directory name consists a string like ".." etc
during the file extraction. In this case, extracting an image file
containing folders/files with malformed names, may be used to create a file
or
directory in any location (specified by attacker) on the selected
partition, without
any user knowledge.

== Details ==

1. Denial of Service vulnerability

The DoS attack is very easy to carry out, it's just about modyfying
a few bytes in the diskette disc image - IMG file. The header value, that
is
not beeing checked by WinImage is BPB_BytsPerSec, WORD (2 byte size)
at offset 11, as written in "Microsoft Extensible Firmware Initiative
FAT32 File System Specification".
The most important thing is clearly explained in the document:

"This value may take on only the following values: 512, 1024, 2048 or
4096."

There is no such condition in program processing the FAT header. Therefore,

we can change the value to any in the range of 0-65535. After the 2-byte
modification:

EB 3C 90 29 6C 75 68 64 49 48 43 00 {00 02} 01 00
--->
EB 3C 90 29 6C 75 68 64 49 48 43 00 {AA AA} 01 00

opening the changed file won't succeed, but the the application will hang
instead, getting into an infinite loop. To be more precise, the endless
loop looks like that:

.text:00415432 loc_415432: ; CODE XREF:
sub_415400+4Aj
.text:00415432 test eax, eax
.text:00415434 jbe short loc_41544C
.text:00415436 mov ecx, [esi+210h]
.text:0041543C add [ebx], ecx
.text:0041543E mov edi, eax
.text:00415440 call sub_4155C0
.text:00415445 cmp eax, 0FFFFFF0h
.text:0041544A jb short loc_415432

Having such modified file, the only thing to do is to convince somebody
to open it. This Denial of Service attack is not very harmful in fact,
although it's a typical header-based vulnerability, and is adviced to be
corrected.

Proof of Concept: http://j00ru.vexillium.org/vuln/winimage/dos_PoC.IMG

2. Directory Traversal vulnerability

An especially malformed disc image file (as before .IMG and .ISO files
processing
is vulnerable, but other formats' handling is also likely to be vulnerable)
may
contain a directory/file name with an upwards dir traversal string inside,
such as:

readme.txt/../../../../../../../../sth.bat

During extraction a file named like this, WinImage should create "sth.bat"
on the
partition root rather then expected "readme.txt" in the specified path. In
that case,
it's even possible to extract a file with any name we want, to any location
we choose.
For example, exploiting this vulnerability may lead to extracton a .BAT
file to the
Autostart directory on the Windows installation partition.
Another important thing is that the real file name/path of file can be
hidden
by making it look like:

readme.txt
/../../../../../../../../asdf.exe

It's same situation with folders. If one directory name is, for example,
"../../../../../../../../asdf", then all the subdirectories and files
will be extracted to folder named "asdf", created on the root of
partition.
Both file and directory name modifications are shown in the
PoC file provided (TEST1, TEST2 folders).

Proof of Concept: http://j00ru.vexillium.org/vuln/winimage/dir_PoC.IMG

== Solution ==

1. Denial of Service vulnerability

The best way to get rid of the ability to get WinImage hang, is adding
a function to check the BPB_BytsPerSec value, and inform user about
the image header error if it's greater than 4096 ( or even if the value
is not equal to 512, 1024, 2048 or 4096). This should be enough to
eliminate
this kind of DoS vulnerability.

2. Directory Traversal vulnerability

In the case of this vuln, the only thing to do is to check all the files'
and
directories' names. If there are any ".." strings found, they should be
simply
removed from the name before the extraction process itself. It is also a
nice idea
not to run the WinImage program with administrative privileges, just to
disable
the access of the most important windows directories like "Program Files",
"WINDOWS" etc ;>

== Vendor status ==

Vendor has been informed about these vulnerabilities, but not yet released

fixed program version.

== Disclaimer ==

This document and all the information it contains is provided "as is",
without any warranty. Author is not responsible for the misuse
of the information provided in this advisory. The advisory is
provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.

Copyright (C) 2007 j00ru of the Vexillium.






Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...
Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration
PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass
Copyright © SecurityReason.com. All Rights Reserved.