[vuln.sg] iso_wincmd Plugin for Total Commander Buffer Overflow Vulnerability

A vulnerability has been found in iso_wincmd plugin for Total Commander. When exploited, the vulnerability allows execution of arbitrary code when the user opens a malicious ISO file.

Note: Other products that uses the code of iso_wincmd are potentially also affected. The vendors of these products have been notified and will be releasing fixes shortly.

This is NOT a Total Commander vulnerability. The vulnerability exists in the iso_wincmd plugin, which is written by a third-party.

This advisory discloses a buffer overflow vulnerability in iso_wincmd. The stack-based buffer overflow occurs when the plugin is constructing the full pathname of a file within an ISO image. This can be exploited to cause a stack-based buffer overflow and allows execution of arbitrary code.

In order to exploit this vulnerability successfully, the user must be convinced to open a malicious ISO image file using this plugin in Total Commander.

The buffer overflow occurs within the LoadTree() and ReadHeader() functions. The LoadTree() and ReadHeader() functions contruct the full pathname of each file in the ISO image by reading the directory entries within the ISO file. The directory name that is read from each directory entry is concatenated together using lstrcatA(), and finally with the filename. Subsequently, the constructed full pathname is copied into a fixed-length stack buffer using the unsafe lstrcpyA() function.

The length of each directory name is limited by the ISO format. However, it is possible create an ISO image that contains a file nested within several level of directories. This will create a full pathname that overflows the stack buffer, thus allowing the saved EIP and SEH handler to be overwritten.

The following POC ISO file will exploit the vulnerability to run calc.exe or crash Total Commander when the iso_wincmd Plugin is installed. The code execution POC has been successfully tested on English versions of WinXP SP2 and Win2K SP4 with Total Commander 6.55a.

Instructions:

Run Total Commander with iso_wincmd Plugin installed.
Double click on the POC ISO file from within Total Commander to open it.
Successful exploit will crash Total Commander due to the EIP being redirected to the overwritten SEH handler.

Below are the suggested fixes for the vulnerability. You should thoroughly test the fixes to ensure that they do not break any functionality before using it. The suggested fixes should be used only as a temporary measure until the vendor releases a complete fix.

NOTE: These suggested fixes are based on source code version 1.7.3.3 (1.7.3 beta 3).

Locate the following line (in red) within the ReadHeader(HANDLE hArcData, tHeaderData* HeaderData) function in iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).


Directory* directory = image->DirectoryList + image->Index;
lstrcpy( HeaderData->FileName, directory->FilePath );


Directory* directory = image->DirectoryList + image->Index;
if(lstrlen(directory->FilePath)+1 > sizeof(HeaderData->FileName))
	return E_BAD_ARCHIVE;
else
	lstrcpy( HeaderData->FileName, directory->FilePath );

Locate the following line (in red) within the LoadTree() function in iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).


if( codepage == CP_UTF8 )
	lstrcpyn( directory.FileName, (char*)record->FileIdentifier, record->LengthOfFileIdentifier + 1 );
            
if( lstrrchr( directory.FileName, ';' ) )
	*lstrrchr( directory.FileName, ';' ) = 0;

lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), (path[0]) ? "\\" : "" ), directory.FileName );

if( dirs )
	(*dirs)[*count] = directory;
(*count)++;


if( codepage == CP_UTF8 )
	lstrcpyn( directory.FileName, (char*)record->FileIdentifier, sizeof(directory.FileName) );
            
if( lstrrchr( directory.FileName, ';' ) )
	*lstrrchr( directory.FileName, ';' ) = 0;

if( (lstrlen(path) + lstrlen(directory.FileName) + 2) > sizeof(directory.FilePath) )
{
	free( data );
	return false;
}
lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), (path[0]) ? "\\" : "" ), directory.FileName );
			
if( dirs )
	(*dirs)[*count] = directory;
(*count)++;

Locate the following line (in red) within the LoadTree() function in iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).


lstrcpyn( directory.FileName, (char*)record->FileIdentifier,
	min(record->LengthOfFileIdentifier + 1, sizeof(directory.FileName)));

if( lstrrchr( directory.FileName, ';' ) )
	*lstrrchr( directory.FileName, ';' ) = 0;

lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), path[0] ? "\\" : "" ), directory.FileName );

if( dirs )
	(*dirs)[*count] = directory;
(*count)++;


lstrcpyn( directory.FileName, (char*)record->FileIdentifier,
	min(record->LengthOfFileIdentifier + 1, sizeof(directory.FileName)));

if( lstrrchr( directory.FileName, ';' ) )
	*lstrrchr( directory.FileName, ';' ) = 0;

if( (lstrlen(path) + lstrlen(directory.FileName) + 2) > sizeof(directory.FilePath) )
{
	free( data );
	return false;
}
lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), path[0] ? "\\" : "" ), directory.FileName );

if( dirs )
	(*dirs)[*count] = directory;
(*count)++;

Locate the following lines (in red) within the LoadTree() function in iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).


if( dirs )
{
	Directory* dir = (*dirs) + (*count);
	ZeroMemory( dir, sizeof( *dir ) );
	dir->VolumeDescriptor = desc;
	if( lstrlen( path ) )
	{
		lstrcpy( dir->FilePath, lstrcpy( dir->FileName, path ) );
		lstrcat( dir->FilePath, "\\" );
		lstrcat( dir->FileName, "\\" );
	}
            
	const char* boot_images = "boot.images";

	lstrcat( dir->FilePath, boot_images );
	lstrcat( dir->FileName, boot_images );
	dir->Record.FileFlags = FATTR_DIRECTORY | FATTR_HIDDEN;
}
(*count)++;


if( dirs )
{
	Directory* dir = (*dirs) + (*count);
	ZeroMemory( dir, sizeof( *dir ) );
	dir->VolumeDescriptor = desc;
	if( lstrlen( path ) )
	{
		lstrcpyn( dir->FilePath, lstrcpyn( dir->FileName, path, sizeof(dir->FileName)-1 ), 
		      sizeof(dir->FilePath)-1 );
		lstrcat( dir->FilePath, "\\" );
		lstrcat( dir->FileName, "\\" );
	}
            
	const char* boot_images = "boot.images";

	if( (lstrlen(dir->FilePath) + lstrlen(boot_images) + 1 > sizeof(dir->FilePath)) ||
	    (lstrlen(dir->FileName) + lstrlen(boot_images) + 1 > sizeof(dir->FileName)) )
	{
		free(data);
		return false;
	}
	lstrcat( dir->FilePath, boot_images );
	lstrcat( dir->FileName, boot_images );
	dir->Record.FileFlags = FATTR_DIRECTORY | FATTR_HIDDEN;
}
(*count)++;

Locate the following lines (in red) within the LoadTree() function in iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).


if( lstrlen( path ) )
	lstrcat( lstrcat( lstrcpy( dir->FilePath, path ), "\\boot.images\\" ), dir->FileName );
else
	lstrcat( lstrcpy( dir->FilePath, "boot.images\\" ), dir->FileName );

dir->Record.LocationOfExtent = BootEntry->Entry.LoadRBA;
dir->VolumeDescriptor = desc;


if( lstrlen( path ) )
{
	if(lstrlen(path) + lstrlen("\\boot.images\\") + lstrlen(dir->FileName) + 1 >
	   sizeof(dir->FilePath))
	{
		free( data );
		return false;
	}
	lstrcat( lstrcat( lstrcpy( dir->FilePath, path ), "\\boot.images\\" ), dir->FileName );
}
else
	lstrcat( lstrcpy( dir->FilePath, "boot.images\\" ), dir->FileName );

dir->Record.LocationOfExtent = BootEntry->Entry.LoadRBA;
dir->VolumeDescriptor = desc;

Locate the following line (in red) within the LoadXBOXTree() function in iso_wincmd.cpp for version 1.7.3.3 (1.7.3 beta 3).


directory.XBOXRecord = *record;
directory.VolumeDescriptor = desc;

lstrcpyn( directory.FileName, (char*)record->FileIdentifier,
          min(record->LengthOfFileIdentifier + 1, sizeof(directory.FileName)));

lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), path[0] ? "\\" : "" ), directory.FileName );

if( dirs )
	(*dirs)[*count] = directory;
(*count)++;


directory.XBOXRecord = *record;
directory.VolumeDescriptor = desc;

lstrcpyn( directory.FileName, (char*)record->FileIdentifier,
          min(record->LengthOfFileIdentifier + 1, sizeof(directory.FileName)));
			
if( (lstrlen(path) + lstrlen(directory.FileName) + 2) > sizeof(directory.FilePath) )
{
	free( data );
	free( stack );
	return false;
}
lstrcat( lstrcat( lstrcpy( directory.FilePath, path ), path[0] ? "\\" : "" ), directory.FileName );

if( dirs )
	(*dirs)[*count] = directory;
(*count)++;

Do not open ISO files from untrusted sources, or apply the suggested fixes as a temporary measure until the vendor releases a complete fix.

2006-12-18 - Vulnerability Discovered.
2006-12-19 - Initial Vendor Notification (email).
2006-12-20 - Second Vendor Notification (email).
2006-12-22 - Third Vendor Notification (ICQ).
2006-12-27 - Initial Vendor Reply. (Fixed version will be released in end January)
2006-12-30 - Public Release.
2007-01-02 - Updated Advisory. (To ensure that it will not be misunderstood by readers as a Total Commander vulnerability)