HISPASEC
Security Advisory
http://blog.hispasec.com/lab/

Name         : Fileinfo multiple vulnerabilities
Class        : Local DoS, Information Spoofing
Threat level : Low
Discovered   : 2007-08-05
Published    : 2007-08-20
Credit       : Gynvael Coldwind
Vulnerable   : 2.0.9, prior versions also may be affected


== Abstract ==

Fileinfo is a lister plugin for Total Commander, made by Francois
Gannier. It allows the user to view the structure of MZ, PE and COFF
files.

Fileinfo fails to check the sanity of input data, which successfully
exploited can lead to denying service to the legitimate user or can
allow injection of additional false information to the displayed ones.



== Details ==

1. In a PE file, the IMAGE_IMPORT_DESCRIPTOR contains fields named
OriginalFirstThunk and FirstThunk. Both of them point to an array of
IMAGE_THUNK_DATA structures. The structure may contain an RVA address
of the name of the imported function. If this pointer to the name of
the function is invalid, Fileinfo raises an Access Violation
exception, which being unhandled, causes Denial of Service condition.
This ends up terminating both Fileinfo plugin and the Total Commander
process.

2. In a PE file, the IMAGE_EXPORT_DIRECTORY contains a field named
AddressOfNames, which points to an array of RVA addresses of function
names. Just like in point 1, if the pointer is invalid, Fileinfo
raises an Access Violation exception, which causes DoS condition.

3. In a PE file, the IMAGE_OPTIONAL_HEADER contains an array of
IMAGE_DATA_DIRECTORY structures called DataDirectory. This structure
contains, above other, the size of the import directory. Fileinfo
fails to check this field in the Image File Header tab, which may
lead to printing out information about false DLL files, that in
reality are not loaded and not used.

4. In a PE file, the IMAGE_IMPORT_DESCRIPTOR contains pointers to
arrays of pointer to strings, and a pointer to a name of the DLL being
loaded. Additional to this, IMAGE_EXPORT_DIRECTORY also contains a
pointer to an array of pointer to strings. If any of this strings is
malformed, it is written out "as is", without proper handling of \r
and \n characters, and without any size check. This allows to forge
the string to look like original Fileinfo information in the Image
File Header tab. This can be used to misinform the user about the
structure of the PE file, it's imports and exports.

Additionally, using together points 3. and any other allows to create a
working PE file, which causes DoS condition to Fileinfo, or misinforms
the user about the structure of PE file.


== Proof of concept ==

http://blog.hispasec.com/lab/files/Fileinfo_DoS.exe
http://blog.hispasec.com/lab/files/Fileinfo_Spoof.exe
http://blog.hispasec.com/lab/files/Fileinfo_Spoof_Action.png

== Vendor status and solution ==

The vendor has been informed, but has not yet released a patched
version.

Until a new-fixed version is released, it is advised to becareful
while viewing PE files from unknown sources.


== Disclaimer ==
This document and all the information it contains is provided "as is",
without any warranty. Hispasec Sistemas is not responsible for the
misuse of the information provided in this advisory. The advisory is
provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.

Copyright (C) 2007 Hispasec Sistemas.

-- 
Gynvael Coldwind
mailto: gynvael@vexillium.org
mailto: michael@hispasec.com