X-Diesel Unreal Commander v0.92 (build 573) multiple vulnerabilities

HISPASEC
Security Advisory
http://blog.hispasec.com/lab/

Name : X-Diesel Unreal Commander v0.92 (build 573) multiple vulnerabilities
Class : Local/Remote multiple directory traversal (Input Validation Error)

Threat level : HIGH
Discovered   : 2007-08-09
Published    : 2007-08-23
Credit       : Gynvael Coldwind
Vulnerable   : 0.92 (build 573), 0.92 (build 565), prior also may be affected

• Abstract ==

Unreal Commander is an award winning freeware file manager for Windows 98/ME/2000/XP/2003/Vista. The application support multiple archive formats, has a built-in ftp client, and other features.

Unreal Commander fails to check user-supplied input while processing ZIP and RAR archives. A malformed ZIP or RAR file can be used to perform a directory traversal attack and place malware files in a location selected by the attacker. Successful exploitation can lead to a full compromitation of the system.

• Details ==
  1. ZIP directory traversal The file name in a ZIP archive in the central directory can be malformed so that it contains upwards directory traversal, for example:

Something/../../../../../../Program Files/Something/ws2_32.dll

If the user upacks such an archive, the Unreal Commander will create the file ws2_32.dll in the specified directory, instead of the directory where the user wants to extract it. This may lead to system compromitation, especially if the user executes Unreal Commander with admin privileges.

PoC: http://blog.hispasec.com/lab/files/UnrealCommander_PoC_traversal.zip

2. ZIP name spoofing
A ZIP archive contains two places where a file's name is written: Local file header and Central Directory. Unreal Commander displays the file name according to the Central Directory, but extracts the file with the name from the Local File Header. This is may misinform the user about the files contained in the archive. This can help an attacker to trick the user into extracting a dangerous file (for example, an .ani file on an unpacked Windows).

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

PoC: http://blog.hispasec.com/lab/files/UnrealCommander_PoC_spoof.zip

3. ZIP file size heap information leak
If the ZIP has a malformed file size in the file header, then Unreal Commander writes to the file data from the heap. This could allow potential information leak (ftp passwords ?), but this has not been confirmed.

4. RAR directory traversal
Like point 1, but regarding to RAR format.

• Vendor status and solution ==

The vendor has been informed, but has not yet released a proper patch.

The solution is to check if a RAR or ZIP file contains ".." in the names of the files in the archives. It is also advised not to run Unreal Commander with administrative privileges.

• Disclaimer == This document and all the information it contains is provided "as is", without any warranty. Hispasec Sistemas is not responsible for the misuse of the information provided in this advisory. The advisory is provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.

Copyright (C) 2007 Hispasec Sistemas.

--
Gynvael Coldwind
mailto: gynvael@vexillium.org
mailto: michael@hispasec.com