Buffer-overflow and directory traversal bugs in Virtools Web Player 3.0.0.100

2005.10.01
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

####################################################################### Luigi Auriemma Application: Virtools Web Player and probably also other applications which can read the Virtools files but I can't test http://www.virtools.com Versions: <= 3.0.0.100 Platforms: Windows (seems also Mac is supported) Bugs: A] buffer-overflow B] directory traversal Exploitation: remote/local Date: 30 Sep 2005 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Virtools is a set of applications for creating games, demos, CAD, simulations and other multimedia stuff. Virtools Web Player is the program which allows the usage of these creations from the net through its implementation in the web browser. ####################################################################### ======= 2) Bugs ======= Other than the scripts the Virtools packages (for example those with extension VMO) contain also some additional files like mp3, wav, images and so on which are extracted in a temporary folder in the system temp directory like, for example, c:windowstempVTmp26453 ------------------ A] buffer-overflow ------------------ Exists a buffer-overflow bug which happens during the handling of the names of the files contained in the Virtools packages. A filename of at least 262 bytes overwrites the EIP register allowing possible execution of malicious code. ---------------------- B] directory traversal ---------------------- As previously said the files are stored in a temporary directory and if already exist files with the same names they are fully overwritten. The problem here is that there are no checks on the filenames so the usage of the classical ".." patterns allows an attacker to overwrite any file in the disk where is located the system temp folder (usually c:). ####################################################################### =========== 3) The Code =========== http://aluigi.altervista.org/poc/virtbugs.zip ####################################################################### ====== 4) Fix ====== Version 3.0.0.101 ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top