[NT] Multiple Vendor ISO Image Directory Traversal

---

• From: SecuriTeam <support@xxxxxxxxxxxxxx>
• Date: 1 May 2006 13:57:49 +0200

---

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Multiple Vendor ISO Image Directory Traversal
------------------------------------------------------------------------


SUMMARY

" <http://www.winiso.com/> WinISO is a CD-ROM image file utility that can
convert BIN to ISO, extract/edit/create ISO files directly, make bootable
CDs and as a BIN/ISO converter/extractor/editor."
" <http://www.poweriso.com/> PowerISO is a powerful CD/DVD image file
processing tool, which allows you to open, extract, create, edit,
compress, encrypt, split and convert ISO files, and mount these files with
internal virtual drive. It can process almost all CD-ROM image files
including ISO and BIN."
" <http://www.magiciso.com/> MagicISO is a powerful and easy CD/DVD image
file edit tool. "
" <http://www.ezbsystems.com/ultraiso/> UltraISO is an ISO CD/DVD image
file creating/editing/converting tool and a bootable CD/DVD maker , it can
directly edit the CD/DVD image file and extract files and folders from it,
as well as directly make ISO files from your CD/DVD-ROM or hard disk."

Improper handling of chroot directories with ISO file handling within
WinISO, UltraISO, Magic ISO and PowerISO allow attackers to cause a
directory traversal.

DETAILS

Vulnerable Systems:
* WinISO 5.3
* UltraISO V8.0.0.1392
* Magic ISO 5.0 Build 0166
* PowerISO v2.9

The vulnerability is caused due to an input validation error when
extracting an ISO archive. This makes it possible to have files extracted
to arbitrary locations outside the specified directory using the "../"
directory traversal sequence.

Proof of Concept:
http://secway.org/exploit/PoC.iso.bin

Rename the PoC.iso.bin to Poc.iso, Extracting the PoC.iso from C driver
will write a "POC" file in your startup folder.

Vendor Status:
Please check the vendor's website for update.

PowerISO:
"We will fixed this bug in the next released version. In the version, we
will check file name before extract. If such file is detected, the path
name will be removed from the file name, and the program will allow user
to choose whether this file can be extracted"

UltraISO:
"Thanks for your message and the sample ISO image.
We will check it and try to fix any bugs related to this issue soon."

MagicISO:
"...we confirm this problem. Thank you for your report and sorry for our
mistake. We will fix this problem in next build asap."

WinISO:
Cannot be reached because of their Mail SYSTEM problems,I have tried GMAIL
and Hotmail over 10 times:
"Delivery to the following recipient failed permanently:
support@xxxxxxxxxx"
"Delivery to the following recipient failed permanently:
info@xxxxxxxxxx"

Disclosure Timeline:
2006.04.18 4 Vendors notified via support@xxxxxxxxx
2006.04.18 3 of 4 Vendors responded
2006.04.28 Advisory released


ADDITIONAL INFORMATION

The information has been provided by <mailto:smaillist@xxxxxxxxx> Sowhat.
The original article can be found at:
<http://secway.org/advisory/AD20060428.txt>
http://secway.org/advisory/AD20060428.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

---

• Prev by Date: [NEWS] Apple Mac OS X Safari 2.0.3 DoS (Large ROWSPAN)
• Next by Date: [EXPL] OCE Printer Webserver DoS Exploit
• Previous by thread: [NEWS] Apple Mac OS X Safari 2.0.3 DoS (Large ROWSPAN)
• Next by thread: [EXPL] OCE Printer Webserver DoS Exploit
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Utility to extract iso files without burning ... I never tried it but bsdtar is able to extract an iso image. ... "tar creates and manipulates streaming archive files. ... (freebsd-questions) Re: Redhat Linux 9 installation help needed!!! ... And when i boot from a floppy i get up to "The Redhat Linux CD was not found ... I tried extract all the files to the cd and also I tried ... What command did you use to burn the CDs? ... Just copying an ISO to a CD ... (linux.redhat.misc) Re: Extracting CD boot loaders ... Anyone know ways to extract the CD boot loaders under Linux? ... I want to add more files to them (then pack them up again as iso) before ... isomaster is one possibility, that works quite well. ... (Debian-User) Re: Redhat Linux 9 installation help needed!!! ... And when i boot from a floppy i get up to "The Redhat Linux CD was not ... I tried extract all the files to the cd and also I ... Just copying an ISO to a CD ... ..iso file and burn them to a CDROM. ... (linux.redhat.misc) Re: help w/ mandrake isos install - save yourself making a coaster ... > needed to extract all the files from the iso. ... and it's -specifically- for buring iso installer disks....and it ... if your checksum matches the number it should, you then burn THAT file ... (comp.os.linux.setup)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)