by Tan Chew Keong
Release Date: 2007-01-09
A vulnerability has been found in EF Commander. When exploited, the vulnerability allows execution of arbitrary code when the user opens a malicious ISO file.
EF Commander version 5.75 (English)
This advisory discloses a buffer overflow vulnerability in EF Commander. The stack-based buffer overflow occurs when EF Commander is constructing the full pathname of a file within an ISO image. This can be exploited to cause a stack-based buffer overflow and allows execution of arbitrary code.
In order to exploit this vulnerability successfully, the user must be convinced to open a malicious ISO image file.
The length of each directory name is limited by the ISO format. However, it is possible create an ISO image that contains a file nested within several level of directories. This will create a full pathname that overflows the stack buffer, thus allowing the saved EIP and SEH handler to be overwritten.
POC / Test Code
The following POC ISO file will exploit the vulnerability to run calc.exe or crash EF Commander. The code execution POC has been successfully tested on English WinXP SP2.
- Download the POC ISO file and save it to the hard-disk.
- Run EF Commander.
- Double-click on the POC ISO file from within EF Commander to open it.
- Successful exploit will run calc.exe or crash EF Commander due to the EIP being redirected to the overwritten SEH handler.
Patch / Workaround
Update to version 5.80.
2007-01-02 - Vulnerability discovered.
2007-01-02 - Initial vendor notification. Sent URL of draft advisory and POC files to vendor. (No reply from vendor)
2007-01-03 - Second vendor notification. (No reply from vendor)
2007-01-08 - Noticed that vendor has released version 5.80. (Emailed vendor to ask whether version 5.80 contains the fix)
2007-01-08 - Still no reply from vendor. Tested version 5.80 and found that it is no longer vulnerable.
2007-01-08 - Informed vendor of advisory disclosure date.
2007-01-09 - Public release (No reply from vendor).