Team Vexillium
Security Advisory
http://vexillium.org/

Name         : WinImage 8.10 Multiple Vulnerabilities
Class        : Denial of Service and Directory Traversal
Threat level : LOW (DoS), MED (Dir. traversal vuln)
Discovered   : 2007-08-31
Published    : 2007-09-15
Credit       : j00ru//vx
Vulnerable   : WinImage 8.10, 
               WinImage 8.0,
               prior versions may also be affected


== Abstract ==

WinImage is an disc images' exploring application, with many 
useful functions implemented, such as injecting/extracting files
from the data images, handling virtual machines' hard drives and so on.

The first vulnerability - Denial of Service - exists in the FAT image 
handling function (mainly diskette image files are able to cause this kind 
of application hang, but it's also possible that other image formats' 
header modification may lead to such kind of program behaviour). 
The succesful DoS attack is achieved by opening a special .IMG 
file with its header modified. Because of bad FAT header handling, 
the application may get into an infinite loop, so that the 
only way is to terminate the process.

The second one - Directory Traversal vuln - was reported in .IMG
and .ISO images processing. There is no function to check whether 
the filename or directory name consists a string like ".." etc
during the file extraction. In this case, extracting an image file
containing folders/files with malformed names, may be used to create a file or 
directory in any location (specified by attacker) on the selected partition, without
any user knowledge.



== Details ==

1. Denial of Service vulnerability

The DoS attack is very easy to carry out, it's just about modyfying 
a few bytes in the diskette disc image - IMG file. The header value, that is
not beeing checked by WinImage is BPB_BytsPerSec, WORD (2 byte size) 
at offset 11, as written in "Microsoft Extensible Firmware Initiative 
FAT32 File System Specification".
The most important thing is clearly explained in the document:


"This value may take on only the following values: 512, 1024, 2048 or 4096."


There is no such condition in program processing the FAT header. Therefore, 
we can change the value to any in the range of 0-65535. After the 2-byte modification:


EB 3C 90 29 6C 75 68 64 49 48 43 00 {00 02} 01 00
--->
EB 3C 90 29 6C 75 68 64 49 48 43 00 {AA AA} 01 00


opening the changed file won't succeed, but the the application will hang 
instead, getting into an infinite loop. To be more precise, the endless
loop looks like that:


.text:00415432 loc_415432:                             ; CODE XREF: sub_415400+4Aj
.text:00415432                 test    eax, eax
.text:00415434                 jbe     short loc_41544C
.text:00415436                 mov     ecx, [esi+210h]
.text:0041543C                 add     [ebx], ecx
.text:0041543E                 mov     edi, eax
.text:00415440                 call    sub_4155C0
.text:00415445                 cmp     eax, 0FFFFFF0h
.text:0041544A                 jb      short loc_415432



Having such modified file, the only thing to do is to convince somebody
to open it. This Denial of Service attack is not very harmful in fact, 
although it's a typical header-based vulnerability, and is adviced to be corrected.


Proof of Concept: http://j00ru.vexillium.org/vuln/winimage/dos_PoC.IMG


2. Directory Traversal vulnerability


An especially malformed disc image file (as before .IMG and .ISO files processing
is vulnerable, but other formats' handling is also likely to be vulnerable) may
contain a directory/file name with an upwards dir traversal string inside,
such as:

readme.txt/../../../../../../../../sth.bat

During extraction a file named like this, WinImage should create "sth.bat" on the 
partition root rather then expected "readme.txt" in the specified path. In that case, 
it's even possible to extract a file with any name we want, to any location we choose.
For example, exploiting this vulnerability may lead to extracton a .BAT file to the 
Autostart directory on the Windows installation partition. 
Another important thing is that the real file name/path of file can be hidden 
by making it look like:


readme.txt                                         /../../../../../../../../asdf.exe 


It's same situation with folders. If one directory name is, for example,
"../../../../../../../../asdf", then all the subdirectories and files 
will be extracted to folder named "asdf", created on the root of 
partition. 
Both file and directory name modifications are shown in the 
PoC file provided (TEST1, TEST2 folders).


Proof of Concept: http://j00ru.vexillium.org/vuln/winimage/dir_PoC.IMG



== Solution ==


1. Denial of Service vulnerability

The best way to get rid of the ability to get WinImage hang, is adding 
a function to check the BPB_BytsPerSec value, and inform user about 
the image header error if it's greater than 4096 ( or even if the value
is not equal to 512, 1024, 2048 or 4096). This should be enough to eliminate
this kind of DoS vulnerability.


2. Directory Traversal vulnerability

In the case of this vuln, the only thing to do is to check all the files' and
directories' names. If there are any ".." strings found, they should be simply
removed from the name before the extraction process itself. It is also a nice idea  
not to run the WinImage program with administrative privileges, just to disable
the access of the most important windows directories like "Program Files", "WINDOWS" etc ;>



== Vendor status ==

Vendor has been informed about these vulnerabilities, but not yet released 
fixed program version. 



== Disclaimer ==

This document and all the information it contains is provided "as is",
without any warranty. Author is not responsible for the misuse 
of the information provided in this advisory. The advisory is
provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.

Copyright (C) 2007 j00ru of the Vexillium.