[NT] DivX Player Skin Directory Traversal
From: SecuriTeam (support_at_securiteam.com)
Date: 01/23/05
- Previous message: SecuriTeam: "[NT] Multiple Vulnerabilities in Comersus BackOffice Lite"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 23 Jan 2005 14:30:07 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
DivX Player Skin Directory Traversal
------------------------------------------------------------------------
SUMMARY
As the name suggests, <http://www.divx.com/divx/player/> DivX Player is
"a Windows player for DivX files. It is included by default in the DivX
codec distributed by DivXNetworks".
Due to improper filtering by the DivX Player skin installer, an attacker
can cause DivX Player to overwrite arbitrary files by utilizing a
directory traversal vulnerability.
DETAILS
Vulnerable Systems:
* DivX Player version 2.6 and prior
The skins used by DivX Player are actually zip files containing all the
needed images and a script file. When the player loads a skin, it unpacks
the skin in the temporary system directory into a folder folder named with
the DPS's name.
An attacker can overwrite the files on the victim's disk in that is
located the temporary folder (usually c:) using the classical directory
traversal path like:
..\..\..\..\windows\notepad.exe
Can be used both slash and backslash.
Proof of concept:
A proof of concept can be downloaded from:
<http://aluigi.altervista.org/poc/divxplayerbug.dps>
http://aluigi.altervista.org/poc/divxplayerbug.dps
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/divxplayer-adv.txt>
http://aluigi.altervista.org/adv/divxplayer-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Multiple Vulnerabilities in Comersus BackOffice Lite"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [EXPL] Opera Skinned and Opera Directory Traversal (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... While installing Opera,
if the "USE SEPARATE SETTINGS FOR EACH USER" ... the "opera7/profile" folder is stored
in the ... This demonstrates the first vulnerability. ... (Securiteam) - [NT] McAfee Network Associates ePolicy Orchestrator Agent Privilege Escalation
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The ePolicy Orchestrator Agent
web server (which runs on TCP port 8081 by ... (which is created by the EPO agent and is the
folder that serves as the ... By using the Junction tool available at ...
(Securiteam) - [EXPL] PHP-Nuke cid SQL Injection
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... PHP-Nuke contains an exploitable
SQL injection vulnerability that can be ... print $socket "User-Agent: Internet Explorer
6.0\n"; ... (Securiteam) - [UNIX] Simple PHP Blog Directory Traversal
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Two vulnerabilities in Simple
PHP Blog are caused by inadequate testing ... To create folder http:///sphpblog/createdir/
... In no event shall we be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages. ... (Securiteam)
