WinISO/UltraISO/MagicISO/PowerISO Directory Traversal Vulnerability By Sowhat of Nevis Labs Date: 2006.04.28 http://www.nevisnetworks.com http://secway.org/advisory/AD20060428.txt CVE: N/A Vendor WinISO Computing Inc. EZB Systems, Inc. MagicISO Inc. PowerISO Computing, Inc. Affected Software WinISO 5.3 UltraISO V8.0.0.1392 Magic ISO 5.0 Build 0166 PowerISO v2.9 Rating: Moderately critical ( 4 * Less Critical :) Overview: WinISO/UltraISO/PowerISO/MagicISO are the 4 most popular software to edit BIN/ISO or almost all images file(s) directly! It can process almost all CD-ROM image file(s) including ISO and BINs. There is a vulnerability exists in WinISO and UltraISO, which potentially can be exploited by malicious people to compromise a user's system. Description: The vulnerability is caused due to an input validation error when extracting an ISO archive. This makes it possible to have files extracted to arbitrary locations outside the specified directory using the "../" directory traversal sequence. The vulnerability has been confirmed in version WinISO 5.3,UltraISO V8.0.0.1392, PowerISO v2.9,Magic ISO 5.0 Build 0166 Other versions may also be affected. POC: http://secway.org/exploit/PoC.iso.bin Rename the PoC.iso.bin to Poc.iso, Extracting the PoC.iso from C driver will write a "POC" file in your startup folder. FIX: Please check the vendor's website for update. PowerISO: "We will fixed this bug in the next released version. In the version, we will check file name before extract. If such file is detected, the path name will be removed from the file name, and the program will allow user to choose whether this file can be extracted" "Following is the registration code for you as our gift. We think this may let you to use all features of PowerISO. User Name : Sowhat Registration Code : ........" When will Microsoft give a Windows XP license for the researchers who ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ reported a critical MS bugz for gift? :) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ UltraISO: "Thanks for your message and the sample ISO image. We will check it and try to fix any bugs related to this issue soon." UltraISO fixed this vulnerability in 1 hour, but they didnt release a new version, because "In general, we do not change version number for minor changes. This bug fix will be included in next file update soon." MagicISO: "Oops. Yes, we confirm this problem. Thank you for your report and sorry for our mistake. We will fix this problem in next build asap." WinISO: Cannot be reached because of their Mail SYSTEM problems,I have tried GMAIL and Hotmail over 10 times, "Delivery to the following recipient failed permanently: support@winiso.com" "Delivery to the following recipient failed permanently: info@winiso.com" Vendor Response: 2006.04.18 4 Vendors notified via support@xxxxx.com 2006.04.18 3 of 4 Vendors responded 2006.04.28 Advisory released -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/