[vuln.sg] WinImage FAT Image Long Pathname Buffer Overflow Vulnerabilities

Two vulnerabilities have been found in WinImage. When exploited, the first vulnerability allows execution of arbitrary code when the user extracts a file from a malicious FAT image. The second vulnerability allows overwriting of function pointers on the heap when the user traverses into a directory with overly long name in a FAT image.

A boundary error exists in WinImage when constructing the full pathname of a file within a FAT image. This can cause a stack-based buffer overflow when the user attempts to extract a file from the FAT image using its full pathname. The buffer overflow can be triggered using a specially-crafted FAT image that contains overly long directory names in multiple levels of sub-directories.

In order to exploit this vulnerability successfully, the user must be convinced to extract a file from a FAT image using its full pathname. Execution of arbitrary code using this vulnerability has been confirmed on English WinXP SP2.

The following screen capture shows the EIP being overwritten when extracting from a specially-crafted FAT image

A boundary error exists in WinImage when handling the full pathname of a directory within a FAT image. This can cause a heap-based buffer overflow when the user attempts to traverse into a directory with overly long name in a FAT image. The buffer overflow can be triggered using a specially-crafted FAT image that contains overly long directory names in multiple levels of sub-directories.

In order to exploit this vulnerability successfully, the user must be convinced to open a FAT image and traverse into a directory that has an overly long name.

The following screen capture shows that it is possible to overwrite function pointers when the user traverses into a directory in a specially-crafted FAT image. Execution of arbitrary code using this vulnerability has been confirmed on English WinXP SP2 by overwriting the function pointer with a stack address that contains a pointer to the shellcode.

The following POC IMA files will exploit the vulnerability to run calc.exe or crash WinImage. The code execution POC has been successfully tested on English WinXP SP2.

Instructions to reproduce vulnerability 1 (stack-based buffer overflow):

Download the POC "winimageEXP.ima" and "winimageCRASH1.ima" files and save it to the hard-disk.
Run WinImage.
Open one of the POC IMA files in WinImage.
Right-click on the folder with the name "AAAABBBBCCCC..." and choose "Extract" from the context menu. The "Extract" dialogbox will popup. (See screen capture below)
Type in "C:\" as the path and select "Extract with pathname". (Please note that the exploit assumes that you'll extract into "C:\". Changing this to something else may cause the exploit to not work correctly.)
Successful exploit will run calc.exe or crashes WinImage.

Instructions to reproduce vulnerability 2 (Heap-based buffer overflow):

Download the POC "winimageCRASH2.ima" file and save it to the hard-disk.
Run WinImage.
Open the POC IMA file in WinImage.
Double-click on the folder with the name "AAAABBBBCCCC..."
Successful exploit will crash WinImage due to corrupted heap.

Do not extract files from non-trusted FAT images, and do not traverse into directories of non-trusted FAT images.

2007-05-01 - Vulnerability discovered.
2007-05-03 - Initial vendor notification.
2007-05-04 - Second vendor notification.
2007-05-04 - Initial vendor reply.
2007-05-04 - Vulnerability description and POC files sent to vendor.
2007-05-13 - Vendor reminder sent.
2007-05-13 - Vendor sent fixed winimage.EXE file for testing.
2007-05-13 - Informed vendor that buffer overflow still occurs if the extraction path is set to "C:\123412341234..\" instead of "C:\".
2007-05-13 - Vendor sent another fixed winimage.EXE file for testing.
2007-05-13 - Informed vendor that the fix seems OK. Asked vendor when it will be released.
2007-05-17 - No confirmation from vendor regarding the release date of the fixed version.
2007-05-17 - Public disclosure.