Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   WinISO Vendors:   WinISO Computing Inc.
WinISO ISO Archive Extraction Directory Traversal Bug Writes Files to Arbitrary Locations
SecurityTracker Alert ID:  1016010
SecurityTracker URL:
CVE Reference:   CVE-2006-2101   (Links to External Site)
Updated:  Aug 15 2009
Original Entry Date:  Apr 28 2006
Impact:   Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 5.3, possibly other versions
Description:   A vulnerability was reported in WinISO. A remote user can cause files to be written to arbitrary locations when extracted.

The software does not properly validate filenames when extracting an ISO archive. A remote user can create an archive that, when extracted by the target user, will cause files in the archive to be written to an arbitrary location on the target user's system.

Files containing the '../' directory traversal characters can trigger the flaw.

A demonstration exploit is available at:

For the demonstration exploit, rename 'PoC.iso.bin' to 'Poc.iso' and extract the PoC.iso to write a 'POC' file in the startup folder.

Sowhat of Nevis Labs discovered this vulnerability.

The original advisory is available at:

Impact:   A remote user can create an ISO archive that, when extracted by the target user, will cause files to be written to arbitrary locations.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] WinISO/UltraISO/MagicISO/PowerISO Directory

WinISO/UltraISO/MagicISO/PowerISO Directory Traversal Vulnerability

By Sowhat of Nevis Labs
Date: 2006.04.28



WinISO Computing Inc.
EZB Systems, Inc.
MagicISO  Inc.
PowerISO Computing, Inc.

Affected Software

WinISO 5.3
UltraISO V8.0.0.1392
Magic ISO 5.0 Build 0166
PowerISO v2.9

Rating: Moderately critical ( 4 * Less Critical :)


WinISO/UltraISO/PowerISO/MagicISO are the 4 most popular software to edit
BIN/ISO or almost all images file(s) directly! It can process almost all
CD-ROM image file(s) including ISO and BINs.

There is a vulnerability exists in WinISO and UltraISO, which
potentially can be exploited by malicious people to compromise a
user's system.


The vulnerability is caused due to an input validation error when
extracting an ISO archive. This makes it possible to have files
extracted to arbitrary locations outside the specified directory
using the "../" directory traversal sequence.

The vulnerability has been confirmed in version WinISO 5.3,UltraISO V8.0.0.1392,
PowerISO v2.9,Magic ISO 5.0 Build 0166

Other versions may also be affected.


Rename the PoC.iso.bin to Poc.iso,
Extracting the PoC.iso from C driver will write a "POC" file in your
startup folder.


Please check the vendor's website for update.

"We will fixed this bug in the next released version. In the version,
 we will check file name before extract. If such file is detected,
 the path name will be removed from the file name, and the program
 will allow user to choose whether this file can be extracted"

"Following is the registration code for you as our gift. We think this
 may let you to use all features of PowerISO.

User Name         : Sowhat
Registration Code : ........"

When will Microsoft give a Windows XP license for the researchers who
reported a critical MS bugz for gift? :)

"Thanks for your message and the sample ISO image.

We will check it and try to fix any bugs related to this issue soon."

UltraISO fixed this vulnerability in 1 hour, but they didnt release a new
version, because
"In general, we do not change version number for minor changes. This bug
fix will be included in next file update soon."

"Oops. Yes, we confirm this problem. Thank you for your report and sorry for
our mistake. We will fix this problem in next build asap."


Cannot be reached because of their Mail SYSTEM problems,I have tried GMAIL
 and Hotmail over 10 times,

"Delivery to the following recipient failed permanently:"

"Delivery to the following recipient failed permanently:"

Vendor Response:

2006.04.18 4 Vendors notified via
2006.04.18 3 of 4 Vendors responded
2006.04.28 Advisory released

"Life is like a bug, Do you know how to exploit it ?"

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC