SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Virtools Web Player Vendors:   Virtools
Virtools Web Player Buffer Overflow and Directory Traversal
SecurityTracker Alert ID:  1014993
SecurityTracker URL:  http://securitytracker.com/id/1014993
CVE Reference:   CVE-2005-3135, CVE-2005-3136   (Links to External Site)
Updated:  Jun 15 2008
Original Entry Date:  Sep 30 2005
Impact:   Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.0.0.100 and prior versions
Description:   Luigi Auriemma reported a vulnerability in Virtools Web Player. A remote user may be able to cause arbitrary code to be executed or arbitrary files to be created or overwritten on the target user's system.

A user can create a specially crafted filename that, when processed by Virtools, will trigger a buffer overflow and potentially execute arbitrary code. A filename longer than 262 bytes will trigger the overflow.

The software does not properly validate filenames. A user can create a filename containing '..\' directory traversal characters to cause the software to create temporary files in arbitrary locations or overwrite files on the target system.

Some demonstration exploit code is available at:

http://aluigi.altervista.org/poc/virtbugs.zip

Impact:   A remote user can create a file that, when processed by the target user, will execute arbitrary code on the target user's system.

A remote user can create a file that, when processed by the target user, will create or overwrite arbitrary files on the target user's system.

Solution:   The vendor has issued a fixed version (3.0.0.101).
Vendor URL:  www.virtools.com/downloads/about3.0.asp (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Buffer-overflow and directory traversal bugs in Virtools Web Player

#######################################################################

                             Luigi Auriemma

Application:  Virtools Web Player and probably also other applications
              which can read the Virtools files but I can't test
              http://www.virtools.com
Versions:     <= 3.0.0.100
Platforms:    Windows (seems also Mac is supported)
Bugs:         A] buffer-overflow
              B] directory traversal
Exploitation: remote/local
Date:         30 Sep 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Virtools is a set of applications for creating games, demos, CAD,
simulations and other multimedia stuff.
Virtools Web Player is the program which allows the usage of these
creations from the net through its implementation in the web browser.


#######################################################################

=======
2) Bugs
=======


Other than the scripts the Virtools packages (for example those with
extension VMO) contain also some additional files like mp3, wav, images
and so on which are extracted in a temporary folder in the system temp
directory like, for example, c:\windows\temp\VTmp26453


------------------
A] buffer-overflow
------------------

Exists a buffer-overflow bug which happens during the handling of the
names of the files contained in the Virtools packages.
A filename of at least 262 bytes overwrites the EIP register allowing
possible execution of malicious code.


----------------------
B] directory traversal
----------------------

As previously said the files are stored in a temporary directory and if
already exist files with the same names they are fully overwritten.
The problem here is that there are no checks on the filenames so the
usage of the classical "..\" patterns allows an attacker to overwrite
any file in the disk where is located the system temp folder (usually
c:\).


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/virtbugs.zip


#######################################################################

======
4) Fix
======


Version 3.0.0.101


#######################################################################


--- 
Luigi Auriemma 
http://aluigi.altervista.org 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC