Min(record->LengthOfFileIdentifier + 1, sizeof(directory.FileName))) Lstrcpyn( directory.FileName, (char*)record->FileIdentifier, isowincmdCRASH2.iso (crashes Total Commander with iso_wincmd Plugin via LoadTree() overflow).isowincmdCRASH.iso (crashes Total Commander with iso_wincmd Plugin via ReadHeader() overflow).isowincmdEXP.iso (exploits the overflow to run calc.exe on English WinXP SP2/Win2K SP4 with Total Commander 6.55a).
Total commander boot code#
The code execution POC has been successfully tested on English versions of WinXP SP2 and Win2K SP4 with Total Commander 6.55a. The following POC ISO file will exploit the vulnerability to run calc.exe or crash Total Commander when the iso_wincmd Plugin is installed.
Total commander boot full#
This will create a full pathname that overflows the stack buffer, thus allowing the saved EIP and SEH handler to be overwritten. However, it is possible create an ISO image that contains a file nested within several level of directories. The length of each directory name is limited by the ISO format. Subsequently, the constructed full pathname is copied into a fixed-length stack buffer using the unsafe lstrcpyA() function. The directory name that is read from each directory entry is concatenated together using lstrcatA(), and finally with the filename. The LoadTree() and ReadHeader() functions contruct the full pathname of each file in the ISO image by reading the directory entries within the ISO file.
The buffer overflow occurs within the LoadTree() and ReadHeader() functions. In order to exploit this vulnerability successfully, the user must be convinced to open a malicious ISO image file using this plugin in Total Commander.
This can be exploited to cause a stack-based buffer overflow and allows execution of arbitrary code. The stack-based buffer overflow occurs when the plugin is constructing the full pathname of a file within an ISO image. This advisory discloses a buffer overflow vulnerability in iso_wincmd. The vulnerability exists in the iso_wincmd plugin, which is written by a third-party. This is NOT a Total Commander vulnerability. The vendors of these products have been notified and will be releasing fixes shortly. Note: Other products that uses the code of iso_wincmd are potentially also affected. When exploited, the vulnerability allows execution of arbitrary code when the user opens a malicious ISO file. Iso_wincmd Plugin for Total Commander Buffer Overflow VulnerabilityĪ vulnerability has been found in iso_wincmd plugin for Total Commander. Iso_wincmd Plugin for Total Commander Buffer Overflow Vulnerability vuln.sg Vulnerability Research Advisory
0 kommentar(er)
