vuln.sg Vulnerability Research Advisory

EF Commander ISO File Long Pathname Buffer Overflow Vulnerability by Tan Chew Keong Release Date: 2007-01-09    [en] [jp] Summary A vulnerability has been found in EF Commander. When exploited, the vulnerability allows execution of arbitrary code when the user opens a malicious ISO file. Tested Versions EF Commander version 5.75 (English) Details This advisory discloses a buffer overflow vulnerability in EF Commander. The stack-based buffer overflow occurs when EF Commander is constructing the full pathname of a file within an ISO image. This can be exploited to cause a stack-based buffer overflow and allows execution of arbitrary code. In order to exploit this vulnerability successfully, the user must be convinced to open a malicious ISO image file. The length of each directory name is limited by the ISO format. However, it is possible create an ISO image that contains a file nested within several level of directories. This will create a full pathname that overflows the stack buffer, thus allowing the saved EIP and SEH handler to be overwritten. POC / Test Code The following POC ISO file will exploit the vulnerability to run calc.exe or crash EF Commander. The code execution POC has been successfully tested on English WinXP SP2. efcommanderEXPiso.iso (exploits the buffer overflow to run calc.exe on English WinXP SP2) efcommanderCRASHiso.iso (crashes EF Commander by using the buffer overflow to overrun the stack) Instructions: Download the POC ISO file and save it to the hard-disk. Run EF Commander. Double-click on the POC ISO file from within EF Commander to open it. Successful exploit will run calc.exe or crash EF Commander due to the EIP being redirected to the overwritten SEH handler.   Patch / Workaround Update to version 5.80. Disclosure Timeline 2007-01-02 - Vulnerability discovered. 2007-01-02 - Initial vendor notification. Sent URL of draft advisory and POC files to vendor. (No reply from vendor) 2007-01-03 - Second vendor notification. (No reply from vendor) 2007-01-08 - Noticed that vendor has released version 5.80. (Emailed vendor to ask whether version 5.80 contains the fix) 2007-01-08 - Still no reply from vendor. Tested version 5.80 and found that it is no longer vulnerable. 2007-01-08 - Informed vendor of advisory disclosure date. 2007-01-09 - Public release (No reply from vendor).

Contact

For further enquries, comments, suggestions or bug reports, simply email them to