[vuln.sg] ICEOWS ACE Archive Long Filename Buffer Overflow Vulnerability

vuln.sg Vulnerability Research Advisory

ICEOWS ACE Archive Long Filename Buffer Overflow Vulnerability
by Tan Chew Keong
Release Date: 2007-09-28

[en] [jp]
Summary
A vulnerability has been found in ICEOWS. When exploited, the vulnerability allows execution of arbitrary code when the user opens a malicious ACE archive file.

Tested Versions

ICEOWS version 4.20b (English)

Details
A stack-based buffer overflow vulnerability exists within the IceGUI.DLL Windows Explorer shell extension that is installed by ICEOWS. The purpose of this extension is to allow the user to extract archives via the Windows Explorer interface. The boundary error occurs when IceGUI.DLL is handling the filename that is read from an ACE archive.

The vulnerability is due to the incorrect use of the "strncpy()" function to copy the filename that was read from the ACE file header into a fixed-sized stack buffer. In particular, the "count" parameter of "strncpy()" was incorrectly set to the value of the filename length that was read from the ACE file header, instead of being set to the size of the destination buffer.

This can be exploited to trigger a stack-based buffer overflow via a specially crafted ACE file that contains a compressed file with an overly long filename. Execution of arbitrary code can be achieved by overwriting a function pointer on the stack that is subsequently used in the same vulnerable function.

In order to exploit this vulnerability successfully, the user must be convinced to open a malicious ACE archive. Execution of arbitrary code using this vulnerability has been confirmed on English WinXP SP2.

By overwriting a function pointer on the stack using the buffer overflow, it is possible to execute arbitrary code.

POC / Test Code
The following POC ACE files will exploit the vulnerability to run calc.exe or crash ICEOWS 4.20b. The code execution POC has been successfully tested on English WinXP SP2.

iceows420b-EXP.ace (exploits the stack-based buffer overflow to run calc.exe on English WinXP SP2)

iceows420b-CRASH.ace (crashes ICEOWS by using the buffer overflow to overwrite a function pointer on the stack)

Instructions to reproduce the vulnerability:

Download the POC files and save them to the hard-disk.

Using Windows Explorer, open the folder where the POC files are saved.

Double-click on the ACE file.

Successful exploit will run calc.exe or crash Windows Explorer.

Patch / Workaround
Do not open ACE archives from untrusted sources.

Disclosure Timeline
2007-09-15 - Vulnerability discovered.
2007-09-15 - Initial vendor notification. (no reply)
2007-09-16 - Second vendor notification. (no reply)
2007-09-20 - Third vendor notification. (no reply)
2007-09-28 - Public disclosure.

Contact

For further enquries, comments, suggestions or bug reports, simply email them to