by Tan Chew Keong
Release Date: 2007-01-04
[en] [jp]
Summary
A vulnerability has been found in PowerArchiver. When exploited, the vulnerability allows execution of arbitrary code when the user opens a malicious ISO file.
Tested Versions
PowerArchiver version 9.64.02 (English) with PAISO.DLL 1.7.3.0 (1.7.3 beta)
Details
This advisory discloses a buffer overflow vulnerability in PowerArchiver. The stack-based buffer overflow occurs when PowerArchiver is constructing the full pathname of a file within an ISO image. This can be exploited to cause a stack-based buffer overflow and allows execution of arbitrary code.
In order to exploit this vulnerability successfully, the user must be convinced to open a malicious ISO image file.
The buffer overflow occurs within the LoadTree() and ReadHeader() functions of PAISO.DLL (version 1.7.3.0) that is distributed with PowerArchiver.
The LoadTree() and ReadHeader() functions contruct the full pathname of each file in the ISO image by reading the directory entries within the ISO file. The directory name that is read from each directory entry is concatenated together using lstrcatA(), and finally with the filename. Subsequently, the constructed full pathname is copied into a fixed-length stack buffer using the unsafe lstrcpyA() function.
The length of each directory name is limited by the ISO format. However, it is possible create an ISO image that contains a file nested within several level of directories. This will create a full pathname that overflows the stack buffer, thus allowing the saved EIP and SEH handler to be overwritten.
POC / Test Code
The following POC ISO file will exploit the vulnerability to run calc.exe or crash PowerArchiver. The code execution POC has been successfully tested on English WinXP SP2 and Win2K SP4.
- powarcEXPiso.iso (exploits the overflow to run calc.exe on English WinXP SP2 and Win2K SP4)
- powarcCRASHiso.iso (crashes PowerArchiver by using buffer overflow in ReadHeader() to overwrite saved EIP)
- powarcCRASH2iso.iso (crashes PowerArchiver via buffer overflow in LoadTree())
Instructions:
- Run PowerArchiver
- Click on the "Open" button or select "File->Open Archive..." from the menu.
- Select the POC ISO file from the File-Open Dialog Box and click "Open".
- Successful exploit will run calc.exe or crash PowerArchiver due to the EIP being redirected to the overwritten SEH handler.
Patch / Workaround
Update to version 9.64.03.
Disclosure Timeline
2006-12-17 - Vulnerability Discovered.
2006-12-18 - Initial Vendor Notification.
2006-12-18 - Initial Vendor Reply.
2006-12-22 - Sent suggested source code fix to vendor.
2006-12-24 - Vendor provided fixed version for testing.
2006-12-24 - Informed vendor of more issues and provided vendor with additional source code fixes.
2006-12-25 - Vendor provided another fixed version for testing.
2006-12-29 - Received notification from vendor that fixed version has been uploaded to server.
2007-01-03 - Informed vendor of advisory release date.
2007-01-04 - Public Release.