####################################################################### Luigi Auriemma Application: Virtools Web Player and probably also other applications which can read the Virtools files but I can't test http://www.virtools.com Versions: <= 3.0.0.100 Platforms: Windows (seems also Mac is supported) Bugs: A] buffer-overflow B] directory traversal Exploitation: remote/local Date: 30 Sep 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Virtools is a set of applications for creating games, demos, CAD, simulations and other multimedia stuff. Virtools Web Player is the program which allows the usage of these creations from the net through its implementation in the web browser. ####################################################################### ======= 2) Bugs ======= Other than the scripts the Virtools packages (for example those with extension VMO) contain also some additional files like mp3, wav, images and so on which are extracted in a temporary folder in the system temp directory like, for example, c:\windows\temp\VTmp26453 ------------------ A] buffer-overflow ------------------ Exists a buffer-overflow bug which happens during the handling of the names of the files contained in the Virtools packages. A filename of at least 262 bytes overwrites the return address allowing possible execution of malicious code. ---------------------- B] directory traversal ---------------------- As previously said the files are stored in a temporary directory and if already exist files with the same names they are fully overwritten. The problem here is that there are no checks on the filenames so the usage of the classical "..\" patterns allows an attacker to overwrite any file in the disk where is located the system temp folder (usually c:\). ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/virtbugs.zip ####################################################################### ====== 4) Fix ====== Version 3.0.0.101 #######################################################################