<<< Date Index >>>     <<< Thread Index >>>

Buffer-overflow and directory traversal bugs in Virtools Web Player 3.0.0.100



#######################################################################

                             Luigi Auriemma

Application:  Virtools Web Player and probably also other applications
              which can read the Virtools files but I can't test
              http://www.virtools.com
Versions:     <= 3.0.0.100
Platforms:    Windows (seems also Mac is supported)
Bugs:         A] buffer-overflow
              B] directory traversal
Exploitation: remote/local
Date:         30 Sep 2005
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Virtools is a set of applications for creating games, demos, CAD,
simulations and other multimedia stuff.
Virtools Web Player is the program which allows the usage of these
creations from the net through its implementation in the web browser.


#######################################################################

=======
2) Bugs
=======


Other than the scripts the Virtools packages (for example those with
extension VMO) contain also some additional files like mp3, wav, images
and so on which are extracted in a temporary folder in the system temp
directory like, for example, c:\windows\temp\VTmp26453


------------------
A] buffer-overflow
------------------

Exists a buffer-overflow bug which happens during the handling of the
names of the files contained in the Virtools packages.
A filename of at least 262 bytes overwrites the EIP register allowing
possible execution of malicious code.


----------------------
B] directory traversal
----------------------

As previously said the files are stored in a temporary directory and if
already exist files with the same names they are fully overwritten.
The problem here is that there are no checks on the filenames so the
usage of the classical "..\" patterns allows an attacker to overwrite
any file in the disk where is located the system temp folder (usually
c:\).


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/virtbugs.zip


#######################################################################

======
4) Fix
======


Version 3.0.0.101


#######################################################################


--- 
Luigi Auriemma 
http://aluigi.altervista.org