https://cxsecurity.com/issue/WLB-2005100001
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200510-009

VirtoolsWebPlayer是virtools导出到网页所需要的播放器。VirtoolsWebPlayer3.0.0.100及之前版本存在目录遍历漏洞。远程攻击者可以借助文件名中的..改写任意文件。

#######################################################################

Luigi Auriemma

Application:  Virtools Web Player and probably also other applications
              which can read the Virtools files but I can't test
              http://www.virtools.com
Versions:     <= 3.0.0.100
Platforms:    Windows (seems also Mac is supported)
Bugs:         A] buffer-overflow
              B] directory traversal
Exploitation: remote/local
Date:         30 Sep 2005
Author:       Luigi Auriemma
              e-mail: aluigi (at) autistici (dot) org [email concealed]
              web:    http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Virtools is a set of applications for creating games, demos, CAD,
simulations and other multimedia stuff.
Virtools Web Player is the program which allows the usage of these
creations from the net through its implementation in the web browser.

#######################################################################

=======
2) Bugs
=======

Other than the scripts the Virtools packages (for example those with
extension VMO) contain also some additional files like mp3, wav, images
and so on which are extracted in a temporary folder in the system temp
directory like, for example, c:windowstempVTmp26453

------------------
A] buffer-overflow
------------------

Exists a buffer-overflow bug which happens during the handling of the
names of the files contained in the Virtools packages.
A filename of at least 262 bytes overwrites the EIP register allowing
possible execution of malicious code.

----------------------
B] directory traversal
----------------------

As previously said the files are stored in a temporary directory and if
already exist files with the same names they are fully overwritten.
The problem here is that there are no checks on the filenames so the
usage of the classical ".." patterns allows an attacker to overwrite
any file in the disk where is located the system temp folder (usually
c:).

#######################################################################

===========
3) The Code
===========

http://aluigi.altervista.org/poc/virtbugs.zip

#######################################################################

======
4) Fix
======

Version 3.0.0.101

#######################################################################

--- 
Luigi Auriemma 
http://aluigi.altervista.org

来源:SECUNIA
名称:17034
链接:http://secunia.com/advisories/17034/
来源:BUGTRAQ
名称:20050930Buffer-overflowanddirectorytraversalbugsinVirtoolsWebPlayer
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=112811771331997&w;=2
来源:MISC
链接:http://aluigi.altervista.org/adv/virtbugs-adv.txt
来源:XF
名称:virtools-file-overwrite(22471)
链接:http://xforce.iss.net/xforce/xfdb/22471
来源:BID
名称:14991
链接:http://www.securityfocus.com/bid/14991
来源:SECTRACK
名称:1014993
链接:http://securitytracker.com/id?1014993
来源:SREASON
名称:40
链接:http://securityreason.com/securityalert/40