what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

winuaebof.txt

winuaebof.txt
Posted Dec 24, 2007
Authored by Luigi Auriemma | Site aluigi.org

WinUAE versions 1.4.4 and below suffer from a buffer overflow vulnerability.

tags | advisory, overflow
SHA-256 | d4b6cea98b13ad48f55a7ce4b8766bc9b8cb55012560c1e6d2e794b4cd9ab867
Download | Favorite | View

winuaebof.txt

Change Mirror Download

#######################################################################

                             Luigi Auriemma

Application:  WinUAE
              http://www.winuae.net
Versions:     <= 1.4.4
Platforms:    Windows
Bug:          buffer-overflow
Exploitation: local
Date:         21 Dec 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


WinUAE is the most known and used Amiga emulator for Windows.

A note about this advisory:
UAE (and consequently WinUAE) is affected by some design bugs which
introduce other security problems (as pointed by the same developer)
so I focused only on the following non-design security bug.


#######################################################################

======
2) Bug
======


WinUAE supports various types of compressed floppy disk images.
Gzip compression (images with gz, adz, roz and hdz extensions) is
handled by an internal function called zfile_gunzip in which is used a
stack buffer of 1000 (MAX_DPATH) bytes for including the name of the
file available in the gzipped archive.
The instructions which copy the name from the archive to the buffer
don't check it's length allowing an attacker to exploit the subsequent
buffer-overflow for executing malicious code.

>From zfile.c:

struct zfile *zfile_gunzip (struct zfile *z)
{
    uae_u8 header[2 + 1 + 1 + 4 + 1 + 1];
    z_stream zs;
    int i, size, ret, first;
    uae_u8 flags;
    long offset;
    char name[MAX_DPATH];
    uae_u8 buffer[8192];
    ...
    do {
        zfile_fread (name + i, 1, 1, z);
    } while (name[i++]);
    ...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/winuaebof.zip


#######################################################################

======
4) Fix
======


Version 1.4.5


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close