vuln.sg  

vuln.sg Vulnerability Research Advisory

iso_wincmd Plugin for Total Commander Buffer Overflow Vulnerability

by Tan Chew Keong
Release Date: 2006-12-30
Updated: 2007-01-02

   [en] [jp]

Summary

A vulnerability has been found in iso_wincmd plugin for Total Commander. When exploited, the vulnerability allows execution of arbitrary code when the user opens a malicious ISO file.


Tested Versions

iso_wincmd version 1.7.3.3 (1.7.3 Beta 3) and version 1.6.10.

Note: Other products that uses the code of iso_wincmd are potentially also affected. The vendors of these products have been notified and will be releasing fixes shortly.

This is NOT a Total Commander vulnerability. The vulnerability exists in the iso_wincmd plugin, which is written by a third-party.


Details

This advisory discloses a buffer overflow vulnerability in iso_wincmd. The stack-based buffer overflow occurs when the plugin is constructing the full pathname of a file within an ISO image. This can be exploited to cause a stack-based buffer overflow and allows execution of arbitrary code.

In order to exploit this vulnerability successfully, the user must be convinced to open a malicious ISO image file using this plugin in Total Commander.

The buffer overflow occurs within the LoadTree() and ReadHeader() functions. The LoadTree() and ReadHeader() functions contruct the full pathname of each file in the ISO image by reading the directory entries within the ISO file. The directory name that is read from each directory entry is concatenated together using lstrcatA(), and finally with the filename. Subsequently, the constructed full pathname is copied into a fixed-length stack buffer using the unsafe lstrcpyA() function.

The length of each directory name is limited by the ISO format. However, it is possible create an ISO image that contains a file nested within several level of directories. This will create a full pathname that overflows the stack buffer, thus allowing the saved EIP and SEH handler to be overwritten.


POC / Test Code

The following POC ISO file will exploit the vulnerability to run calc.exe or crash Total Commander when the iso_wincmd Plugin is installed. The code execution POC has been successfully tested on English versions of WinXP SP2 and Win2K SP4 with Total Commander 6.55a.

  • isowincmdEXP.iso (exploits the overflow to run calc.exe on English WinXP SP2/Win2K SP4 with Total Commander 6.55a)
  • isowincmdCRASH.iso (crashes Total Commander with iso_wincmd Plugin via ReadHeader() overflow)
  • isowincmdCRASH2.iso (crashes Total Commander with iso_wincmd Plugin via LoadTree() overflow)


Instructions:

  1. Run Total Commander with iso_wincmd Plugin installed.
  2. Double click on the POC ISO file from within Total Commander to open it.
  3. Successful exploit will crash Total Commander due to the EIP being redirected to the overwritten SEH handler.
 


Suggested Fixes

Below are the suggested fixes for the vulnerability. You should thoroughly test the fixes to ensure that they do not break any functionality before using it. The suggested fixes should be used only as a temporary measure until the vendor releases a complete fix.

NOTE: These suggested fixes are based on source code version 1.7.3.3 (1.7.3 beta 3).
 

1) Fix for ReadHeader() function

Locate the following line (in red) within the ReadHeader(HANDLE hArcData, tHeaderData* HeaderData) function in iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).


Directory* directory = image->DirectoryList + image->Index;
lstrcpy( HeaderData->FileName, directory->FilePath );

Replace the line in red (above) with the 4 lines of code in red shown below.

Directory* directory = image->DirectoryList + image->Index;
if(lstrlen(directory->FilePath)+1 > sizeof(HeaderData->FileName))
	return E_BAD_ARCHIVE;
else
	lstrcpy( HeaderData->FileName, directory->FilePath );

2) First Fix for LoadTree() function

Locate the following line (in red) within the LoadTree() function in iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).


if( codepage == CP_UTF8 )
	lstrcpyn( directory.FileName, (char*)record->FileIdentifier, record->LengthOfFileIdentifier + 1 );
            
if( lstrrchr( directory.FileName, ';' ) )
	*lstrrchr( directory.FileName, ';' ) = 0;

lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), (path[0]) ? "\\" : "" ), directory.FileName );

if( dirs )
	(*dirs)[*count] = directory;
(*count)++;

Replace the lines in red (above) with the modified code in red shown below.

if( codepage == CP_UTF8 )
	lstrcpyn( directory.FileName, (char*)record->FileIdentifier, sizeof(directory.FileName) );
            
if( lstrrchr( directory.FileName, ';' ) )
	*lstrrchr( directory.FileName, ';' ) = 0;

if( (lstrlen(path) + lstrlen(directory.FileName) + 2) > sizeof(directory.FilePath) )
{
	free( data );
	return false;
}
lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), (path[0]) ? "\\" : "" ), directory.FileName );
			
if( dirs )
	(*dirs)[*count] = directory;
(*count)++;
            

3) Second Fix for LoadTree() function

Locate the following line (in red) within the LoadTree() function in iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).


lstrcpyn( directory.FileName, (char*)record->FileIdentifier,
	min(record->LengthOfFileIdentifier + 1, sizeof(directory.FileName)));

if( lstrrchr( directory.FileName, ';' ) )
	*lstrrchr( directory.FileName, ';' ) = 0;

lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), path[0] ? "\\" : "" ), directory.FileName );

if( dirs )
	(*dirs)[*count] = directory;
(*count)++;

Replace the line in red (above) with the modified code in red shown below.

lstrcpyn( directory.FileName, (char*)record->FileIdentifier,
	min(record->LengthOfFileIdentifier + 1, sizeof(directory.FileName)));

if( lstrrchr( directory.FileName, ';' ) )
	*lstrrchr( directory.FileName, ';' ) = 0;

if( (lstrlen(path) + lstrlen(directory.FileName) + 2) > sizeof(directory.FilePath) )
{
	free( data );
	return false;
}
lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), path[0] ? "\\" : "" ), directory.FileName );

if( dirs )
	(*dirs)[*count] = directory;
(*count)++;
            

4) Third Fix for LoadTree() function

Locate the following lines (in red) within the LoadTree() function in iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).


if( dirs )
{
	Directory* dir = (*dirs) + (*count);
	ZeroMemory( dir, sizeof( *dir ) );
	dir->VolumeDescriptor = desc;
	if( lstrlen( path ) )
	{
		lstrcpy( dir->FilePath, lstrcpy( dir->FileName, path ) );
		lstrcat( dir->FilePath, "\\" );
		lstrcat( dir->FileName, "\\" );
	}
            
	const char* boot_images = "boot.images";

	lstrcat( dir->FilePath, boot_images );
	lstrcat( dir->FileName, boot_images );
	dir->Record.FileFlags = FATTR_DIRECTORY | FATTR_HIDDEN;
}
(*count)++;

Replace the lines in red (above) with the modified code in red shown below.

if( dirs )
{
	Directory* dir = (*dirs) + (*count);
	ZeroMemory( dir, sizeof( *dir ) );
	dir->VolumeDescriptor = desc;
	if( lstrlen( path ) )
	{
		lstrcpyn( dir->FilePath, lstrcpyn( dir->FileName, path, sizeof(dir->FileName)-1 ), 
		      sizeof(dir->FilePath)-1 );
		lstrcat( dir->FilePath, "\\" );
		lstrcat( dir->FileName, "\\" );
	}
            
	const char* boot_images = "boot.images";

	if( (lstrlen(dir->FilePath) + lstrlen(boot_images) + 1 > sizeof(dir->FilePath)) ||
	    (lstrlen(dir->FileName) + lstrlen(boot_images) + 1 > sizeof(dir->FileName)) )
	{
		free(data);
		return false;
	}
	lstrcat( dir->FilePath, boot_images );
	lstrcat( dir->FileName, boot_images );
	dir->Record.FileFlags = FATTR_DIRECTORY | FATTR_HIDDEN;
}
(*count)++;
                    

5) Fourth Fix for LoadTree() function

Locate the following lines (in red) within the LoadTree() function in iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).


if( lstrlen( path ) )
	lstrcat( lstrcat( lstrcpy( dir->FilePath, path ), "\\boot.images\\" ), dir->FileName );
else
	lstrcat( lstrcpy( dir->FilePath, "boot.images\\" ), dir->FileName );

dir->Record.LocationOfExtent = BootEntry->Entry.LoadRBA;
dir->VolumeDescriptor = desc;

Replace the lines in red (above) with the modified code in red shown below.

if( lstrlen( path ) )
{
	if(lstrlen(path) + lstrlen("\\boot.images\\") + lstrlen(dir->FileName) + 1 >
	   sizeof(dir->FilePath))
	{
		free( data );
		return false;
	}
	lstrcat( lstrcat( lstrcpy( dir->FilePath, path ), "\\boot.images\\" ), dir->FileName );
}
else
	lstrcat( lstrcpy( dir->FilePath, "boot.images\\" ), dir->FileName );

dir->Record.LocationOfExtent = BootEntry->Entry.LoadRBA;
dir->VolumeDescriptor = desc;
                                

6) Fix for LoadXBOXTree() function

Locate the following line (in red) within the LoadXBOXTree() function in iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).


directory.XBOXRecord = *record;
directory.VolumeDescriptor = desc;

lstrcpyn( directory.FileName, (char*)record->FileIdentifier,
          min(record->LengthOfFileIdentifier + 1, sizeof(directory.FileName)));

lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), path[0] ? "\\" : "" ), directory.FileName );

if( dirs )
	(*dirs)[*count] = directory;
(*count)++;
        
Replace the line in red (above) with the modified code in red shown below.

directory.XBOXRecord = *record;
directory.VolumeDescriptor = desc;

lstrcpyn( directory.FileName, (char*)record->FileIdentifier,
          min(record->LengthOfFileIdentifier + 1, sizeof(directory.FileName)));
			
if( (lstrlen(path) + lstrlen(directory.FileName) + 2) > sizeof(directory.FilePath) )
{
	free( data );
	free( stack );
	return false;
}
lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), path[0] ? "\\" : "" ), directory.FileName );

if( dirs )
	(*dirs)[*count] = directory;
(*count)++;
                                


Patch / Workaround

Do not open ISO files from untrusted sources, or apply the suggested fixes as a temporary measure until the vendor releases a complete fix.


Disclosure Timeline

2006-12-18 - Vulnerability Discovered.
2006-12-19 - Initial Vendor Notification (email).
2006-12-20 - Second Vendor Notification (email).
2006-12-22 - Third Vendor Notification (ICQ).
2006-12-27 - Initial Vendor Reply. (Fixed version will be released in end January)
2006-12-30 - Public Release.
2007-01-02 - Updated Advisory. (To ensure that it will not be misunderstood by readers as a Total Commander vulnerability)


Contact
For further enquries, comments, suggestions or bug reports, simply email them to