The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
Low
A
There is reduced performance or interruptions in resource availability. However, the attacker does not have the ability to completely prevent access to the resources or services; the impact is limited.
WinISO/UltraISO/MagicISO/PowerISO Directory Traversal Vulnerability
By Sowhat of Nevis Labs
Date: 2006.04.28
http://www.nevisnetworks.com
http://secway.org/advisory/AD20060428.txt
CVE: N/A
Vendor
WinISO Computing Inc.
EZB Systems, Inc.
MagicISO Inc.
PowerISO Computing, Inc.
Affected Software
WinISO 5.3
UltraISO V8.0.0.1392
Magic ISO 5.0 Build 0166
PowerISO v2.9
Rating: Moderately critical ( 4 * Less Critical :)
Overview:
WinISO/UltraISO/PowerISO/MagicISO are the 4 most popular software to edit
BIN/ISO or almost all images file(s) directly! It can process almost all
CD-ROM image file(s) including ISO and BINs.
There is a vulnerability exists in WinISO and UltraISO, which
potentially can be exploited by malicious people to compromise a
user's system.
Description:
The vulnerability is caused due to an input validation error when
extracting an ISO archive. This makes it possible to have files
extracted to arbitrary locations outside the specified directory
using the "../" directory traversal sequence.
The vulnerability has been confirmed in version WinISO 5.3,UltraISO V8.0.0.1392,
PowerISO v2.9,Magic ISO 5.0 Build 0166
Other versions may also be affected.
POC:
http://secway.org/exploit/PoC.iso.bin
Rename the PoC.iso.bin to Poc.iso,
Extracting the PoC.iso from C driver will write a "POC" file in your
startup folder.
FIX:
Please check the vendor's website for update.
PowerISO:
"We will fixed this bug in the next released version. In the version,
we will check file name before extract. If such file is detected,
the path name will be removed from the file name, and the program
will allow user to choose whether this file can be extracted"
"Following is the registration code for you as our gift. We think this
may let you to use all features of PowerISO.
User Name : Sowhat
Registration Code : ........"
When will Microsoft give a Windows XP license for the researchers who
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
reported a critical MS bugz for gift? :)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
UltraISO:
"Thanks for your message and the sample ISO image.
We will check it and try to fix any bugs related to this issue soon."
UltraISO fixed this vulnerability in 1 hour, but they didnt release a new
version, because
"In general, we do not change version number for minor changes. This bug
fix will be included in next file update soon."
MagicISO:
"Oops. Yes, we confirm this problem. Thank you for your report and sorry for
our mistake. We will fix this problem in next build asap."
WinISO:
Cannot be reached because of their Mail SYSTEM problems,I have tried GMAIL
and Hotmail over 10 times,
"Delivery to the following recipient failed permanently:
support (at) winiso (dot) com [email concealed]"
"Delivery to the following recipient failed permanently:
info (at) winiso (dot) com [email concealed]"
Vendor Response:
2006.04.18 4 Vendors notified via support (at) xxxxx (dot) com [email concealed]
2006.04.18 3 of 4 Vendors responded
2006.04.28 Advisory released
--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum