Arbitrary files overwriting through skins in DivX Player 2.6

To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx
Subject: Arbitrary files overwriting through skins in DivX Player 2.6
From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>
Date: Fri, 21 Jan 2005 19:02:34 +0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#######################################################################

                             Luigi Auriemma

Application:  DivX Player
              http://www.divx.com/divx/player/
Versions:     <= 2.6
Platforms:    Windows
Bug:          arbitrary files overwriting through skins
Exploitation: local (or remote through browser)
Date:         21 Jan 2005
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


As the name suggests, DivX Player is a Windows player for DivX files.
It is included by default in the DivX codec distribuited by
DivXNetworks.


#######################################################################

======
2) Bug
======


The skins used by DivX Player are zip files containing all the needed 
images and a script file.

When the player loads a skin, it unpacks the zip into a folder with the
same name of the DPS file located in the temporary system directory.

An attacker can overwrite the files on the victim's disk in which is
located the temporary folder (usually c:) using the classical directory
traversal path like:

  ..\..\..\..\windows\notepad.exe

Can be used both slash and backslash.


#######################################################################

===========
3) The Code
===========


  http://aluigi.altervista.org/poc/divxplayerbug.dps

It overwrites/creates the file c:\folder\divxplayerbug.txt

However creating the zip files to exploit the vulnerability is very
easy since you need only to modify the names of the files located in
the central directory of the zip file (the final part).


#######################################################################

======
4) Fix
======


No fix.
No reply from the vendor.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

Prev by Date: [ GLSA 200501-29 ] Mailman: Cross-site scripting vulnerability
Next by Date: Microsoft NetDDE Service Unauthenticated Remote Buffer Overflow
Previous by thread: [ GLSA 200501-29 ] Mailman: Cross-site scripting vulnerability
Next by thread: Microsoft NetDDE Service Unauthenticated Remote Buffer Overflow
Index(es):
- Date
- Thread