Advertisement






Buffer-overflow and directory traversal bugs in Virtools Web Player 3.0.0.100

CVE Category Price Severity
N/A CWE-119, CWE-22 Not specified High
Author Risk Exploitation Type Date
Not specified High Local 2005-10-06
CPE
cpe:cpe:/a:virtools:web_player:3.0.0.100
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2005100001

Below is a copy:

#######################################################################

Luigi Auriemma

Application:  Virtools Web Player and probably also other applications
              which can read the Virtools files but I can't test
              http://www.virtools.com
Versions:     <= 3.0.0.100
Platforms:    Windows (seems also Mac is supported)
Bugs:         A] buffer-overflow
              B] directory traversal
Exploitation: remote/local
Date:         30 Sep 2005
Author:       Luigi Auriemma
              e-mail: aluigi (at) autistici (dot) org [email concealed]
              web:    http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Virtools is a set of applications for creating games, demos, CAD,
simulations and other multimedia stuff.
Virtools Web Player is the program which allows the usage of these
creations from the net through its implementation in the web browser.

#######################################################################

=======
2) Bugs
=======

Other than the scripts the Virtools packages (for example those with
extension VMO) contain also some additional files like mp3, wav, images
and so on which are extracted in a temporary folder in the system temp
directory like, for example, c:windowstempVTmp26453

------------------
A] buffer-overflow
------------------

Exists a buffer-overflow bug which happens during the handling of the
names of the files contained in the Virtools packages.
A filename of at least 262 bytes overwrites the EIP register allowing
possible execution of malicious code.

----------------------
B] directory traversal
----------------------

As previously said the files are stored in a temporary directory and if
already exist files with the same names they are fully overwritten.
The problem here is that there are no checks on the filenames so the
usage of the classical ".." patterns allows an attacker to overwrite
any file in the disk where is located the system temp folder (usually
c:).

#######################################################################

===========
3) The Code
===========

http://aluigi.altervista.org/poc/virtbugs.zip

#######################################################################

======
4) Fix
======

Version 3.0.0.101

#######################################################################

--- 
Luigi Auriemma 
http://aluigi.altervista.org

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum