SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   UnAce Vendors:   winace.com
UnAce Buffer Overflows and Input Validation Holes May Let Remote Users Execute Arbitrary Code or Overwrite Files
SecurityTracker Alert ID:  1013265
SecurityTracker URL:  http://securitytracker.com/id/1013265
CVE Reference:   CVE-2005-0160, CVE-2005-0161   (Links to External Site)
Date:  Feb 23 2005
Impact:   Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.2b
Description:   Several vulnerabilities were reported in UnAce. A remote user can create an archive that, when processed by UnAce, will execute arbitrary code on the target user's system. A remote user may also be able to cause files to be overwritten.

One flaw is due to an incorrect strncpy() call when extracting, testing, or listing an ACE archive. A remote user can create a specially crafted ACE archive that, when processed by the target use, will trigger a buffer overflow and modify the EIP register [CVE: CVE-2005-0160].

Two other buffer overflows exist in the processing of archive name command line arguments that are longer than 15,600 characters and in the processing of printing strings [CVE: CVE-2005-0160].

The software also does not properly process filename characters [CVE: CVE-2005-0161]. A remote user can create a specially crafted filename within an archive that contains '../' directory traversal characters or specifies an absolute path. Then, when the archive is extracted, the file may be extracted to an alternate location indicated by the absolute or relative pathname.

The vendor has been notified.

Ulf Harnhammar of the Debian Security Audit Project reported this vulnerability.

Impact:   A remote user can create an archive that, when processed by a target user with UnAce, will execute arbitrary code on the target user's system with the privileges of the target user.

A remote user can create an archive that, when extracted by a target user with UnAce, will create or overwrite files on the target system with the privileges of the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.winace.com/ (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] unace-1.2b multiple buffer overflows and


This message is in MIME format.

---MOQ1109113174ce56e84a555bb4af7eb3440bb911fb30
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

I have found multiple security vulnerabilities in unace-1.2b. (It is
the last free version. The later versions are just binaries for the
x86 processor, which is unhelpful if you want to use free software or
if your computer has a non-x86 processor.)

There are two buffer overflows when extracting, testing or listing
specially prepared ACE archives. They are caused by wrong usage of
strncpy() with the third parameter coming from the archive. In both
cases, the attacker controls the EIP register.

There are also two buffer overflows when (a) dealing with long (>15600
characters) command line arguments for archive names, and (b) when
preparing a string for printing Ready for next volume messages.

Furthermore, there are directory traversal bugs when extracting ACE
archives. They are both of the absolute ("/etc/nologin") and the relative
("../../../../../../../etc/nologin") type.

All buffer overflows have the identifier CAN-2005-0160, and the directory
traversal bugs have the identifier CAN-2005-0161.

I have attached a ZIP archive containing some test archives and a patch.
I wrote a small Perl script to create the test archives, after having
read ACE.txt. I didn't have the time to create archives that work on
unace-2.x, so I haven't really tested whether later versions of unace
are vulnerable to any of these bugs.

The vendor and the distributors have been contacted, and the 22nd of
February was agreed upon as the release date.

// Ulf H=E4rnhammar for the Debian Security Audit Project
   http://www.debian.org/security/audit/
    Run this to get my new e-mail address:
   lynx -source http://slashdot.org/ | head -n1 | sed -e 's%".*$%%' \
   -e 'y%TC!%aa#%' -e 's%UB%te%g' -e 'y%<ODP%#emr%' -e 's%E H.*r% %' \
   -e 's%#%%g' -e 's%$%com%' -e 's%aa*%ta%' -e 'y%IYL%iul%'


---MOQ1109113174ce56e84a555bb4af7eb3440bb911fb30
Content-Type: application/zip; name="unace.advisory-data.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="unace.advisory-data.zip"

UEsDBBQAAAAIAFK9VjIVs49oIwAAAI8AAAANABUAYnVmb2Zsb3cxLmFjZVVUCQADXLUbQmO1G0JV
eAQA6APoA3MR7WZgYBDQ0nJ0dtXS4uJiZgCBaF/XEMfQoNi8ULoCBgYAUEsDBBQAAAAIAFK9VjLF
GdABMwAAAHICAAANABUAYnVmb2Zsb3cyLmFjZVVUCQADXLUbQmO1G0JVeAQA6APoAwsQl2NgYBDQ
0nJ0dtXS4uJiZgCBaF/XEMfQoFjGUAYG7b8+TIwMeIA2U+goGAXEAQYGAFBLAwQUAAAACABSvVYy
/kMELU0AAABzAAAAEQAVAGRpcnRyYXZlcnNhbDEuYWNlVVQJAANctRtCY7UbQlV4BADoA+gDCxCX
Y2BgENDScnR21dLi4mJmAIFoX9cQx9CgWMZQBobmeB8GRgYM8B8IICwdBj09fUxUklugX5qXmJyq
m5JZpFtSlFiWWlScmMPAAABQSwMEFAAAAAgAUr1WMhm1plZJAAAAXwAAABEAFQBkaXJ0cmF2ZXJz
YWwyLmFjZVVUCQADXLUbQmO1G0JVeAQA6APoAwsQl2NgYBDQ0nJ0dtXS4uJiZgCBaF/XEMfQoFjG
UAaGbSUWDIwMGOA/EEBYEgz6JbkF+qV5icmpuimZRbolRYllqUXFiTkMDABQSwMEFAAAAAgAUr1W
MhBTYJScBgAAChIAABQAFQB1bmFjZS5zZWN1cml0eS5wYXRjaFVUCQADXLUbQmO1G0JVeAQA6APo
A61XbVPbRhD+HP+KhU5AQpKRZRuwPaQ4xTSegpMhpE1KGI0qnSI1tuSRZBJK+O/dvRe9ECchaT0M
ku529/Z2n31uz7IsWHm+62dFO2qn8+BRZzA4sOx9y+5Axx46g6Ftt231A8N2bLtlGEal9QhH+pbt
WJ0e2PawdzDs9hsaHdQ4OgKrZ+6DQf+OjlrQgp/ixJ+vAgabns/yIlv57WgTJ6xfno3PYQcH3TDx
FkwT35CbUETMC/CVHiZMZxeQpEuviPRRy/h+LRNWSR6/S1gAcVJAHv/D0BAXAD9jXsHcAB1zw3he
mqN3YcMjWdpFGLAQXs2mr1tWLZj+DwXTbwTTGfb2hrazNpjdrtlxwKBHXwZ0dwfesSLnPgLFAMIs
XfBts6wFsLP7Q7H9v0LbgtuWBSDiG2PG8L0hhWM4BH7kZbDjLym8JI/QSPzljYbLaTtaEYoldb6m
3j6Zjc8mJsRw+MVZ9+X0z4kuFvymnBQLQYvhCWjkOVjQ0XU+LgyoQSH7MP90sbn8Mr5CCzbHjlxI
xZnS2t8zHUxrf2DuO5hWeGjoubE7hCNLgjhE4+SZvyRnhZcfIkKFtkNjh7C9u63jtGFU28WJDZRW
+1ywxSK9ZrQrf2nSJucsQSEdDIwGqvEVM1assoTWoMVbBk9j7gZxxvwizW7cIvOuWZZ7c02kFe3g
Cre0SCP3izTAuvLTVVIEaSF8RjzTMNi4izBjOaKqg69/r/ICSMgEBz+TtKiGCOOGhJAfkZf4xY0c
VsZF/PmUjIof4Rj5Zhh8/7ciCBQWPicDtrUFmjB2iDHgn5XRJzWQqLh05DIywqUlMXarpL/koZz1
06SIkxWTI3drbLY/s0mTyle79KtcqvIMqmUVHGgJerB5zpSQ1HO4hHSBx+chAbkXDvlJWyRLcJ3G
AaaL+e9d9rEg9JR0qyu/d3eFRL4rqDkHKhpIQ053xC0kJdQQsC2lB8Hli/HFM/ds/Ppq9G3+aQkV
uyzSkg3WozqUWyzjHrosy1B5cn7u/nE+vZiUeVxmuEiobb5N6OtYGYPSGHhFwRbLYgjwOH+bbJq4
/VETUeLzTlZfmGagjUZ6S2QeqsxrvPRlFHWqXj/KtK3wUtZxwMv4yoTj6fnLyQtd3zicvTo91ZWN
2yp+nPHQnAVhBckaQ6roNliy0qxPj2pWFWsid4UVPaqUlSQpfnfiaE2QB7/3YBU6jWO1M+x1h87B
2mPV6dnmHhj0oD6FgwXxFrhe5rtEtRqBtUQlwTJnOCfbhnTJEhKNYqROGuFJJ0jUgUxSOUgx0DCL
1+l8tRBHZAlj79rFIF0e2FdrsOqnyxtMpEIs2fISjBmZ1jw6Kkx47p4fP5+dvoFP+Pp0Ohufv9FH
lQeycMS297rmAW57r2d2OmrfD9mNylAu0S2cNgFRLuo0gDSBx0Gb/8FfN7BZq03xK7C0vBvNC7yi
XcQLhp2QbtLoAokvWjN+gxFvDlfwafihi4qvwU35t6Bctse/V2+qS5AKMvqN2asGL8sU4FhDaFRn
YCXzBPYHtdqoVPcHpfyXXZTiFRlI5+R4s1YUzRCFcBIpQyEqSay/WDDMZLoqtM0zL07UyHCTI0QB
lduCRU1A9J42VYfRtUUzL/gbW083IfpGLPNWpVkoAiwcVsss9UlqjcRnRSIKQ9WFom5L1UhelYf8
LvnGAD4lEIr2MB2h683naNFdZtilYPfwgUGE5AvWDXhJAHmUruYBJAz5GLz8fdmhaRtUK+xjnCP6
4iRHz5ioMn7o1e1iD+Xo8OkTbNRGRW/Xcw74Dajr1MKGEcs8X1wyco3CrTpoesdzrtDrxM4x8Wwy
PnYv3ryY0Ll7Mj2duE9Pf1vL3Y1En1Cv00w00VeUfhBXBpViq1Sv+k5x79kSzaa6dJE6pr26cNTY
/6uqJm+h05DP6esMVVuojs3HOR2JpFE/LML5Ko8ap4e/zDBJsby4VYCusEWzsTenNj5guO0ldpd5
jESl2gmersEepatv27V0zeO8nisEyl9pzv5Lil6dPp/9CkV8yC8O7ZOL6dlk9O0cyJXhZ2yPh9SR
/0Ay7tl4QFbqBzhFDwxszbnfgvpqaePzxqG41Rxw5PcHDp4yOKBYhR8qXvbON2XnRh/Xl1eKFKoF
eT75Yf55Qr+aX64jb5LASZZzrDgh+Wr4z/WT4uq+Xbl7dUzXQ1pS9RozZRQlP1jQI8tfscYFL+9r
9YnWt9/a26M6uDa0/F5jxzs76Yjq5vR6nlCeTzftKE28RdHtQW/9C1BLAQIXAxQAAAAIAFK9VjIV
s49oIwAAAI8AAAANAA0AAAAAAAAAAACkgQAAAABidWZvZmxvdzEuYWNlVVQFAANctRtCVXgAAFBL
AQIXAxQAAAAIAFK9VjLFGdABMwAAAHICAAANAA0AAAAAAAAAAACkgWMAAABidWZvZmxvdzIuYWNl
VVQFAANctRtCVXgAAFBLAQIXAxQAAAAIAFK9VjL+QwQtTQAAAHMAAAARAA0AAAAAAAAAAACkgdYA
AABkaXJ0cmF2ZXJzYWwxLmFjZVVUBQADXLUbQlV4AABQSwECFwMUAAAACABSvVYyGbWmVkkAAABf
AAAAEQANAAAAAAAAAAAApIFnAQAAZGlydHJhdmVyc2FsMi5hY2VVVAUAA1y1G0JVeAAAUEsBAhcD
FAAAAAgAUr1WMhBTYJScBgAAChIAABQADQAAAAAAAQAAAKSB9AEAAHVuYWNlLnNlY3VyaXR5LnBh
dGNoVVQFAANctRtCVXgAAFBLBQYAAAAABQAFAHcBAADXCAAAAAA=

---MOQ1109113174ce56e84a555bb4af7eb3440bb911fb30
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

---MOQ1109113174ce56e84a555bb4af7eb3440bb911fb30--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC