Virtools Web Player 目录遍历漏洞

Virtools Web Player 目录遍历漏洞

漏洞ID 1197724 漏洞类型 路径遍历
发布时间 2005-10-04 更新时间 2005-10-20
图片[1]-Virtools Web Player 目录遍历漏洞-安全小百科CVE编号 CVE-2005-3136
图片[2]-Virtools Web Player 目录遍历漏洞-安全小百科CNNVD-ID CNNVD-200510-009
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://cxsecurity.com/issue/WLB-2005100001
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200510-009
|漏洞详情
VirtoolsWebPlayer是virtools导出到网页所需要的播放器。VirtoolsWebPlayer3.0.0.100及之前版本存在目录遍历漏洞。远程攻击者可以借助文件名中的..改写任意文件。
|漏洞EXP
#######################################################################

Luigi Auriemma

Application:  Virtools Web Player and probably also other applications
              which can read the Virtools files but I can't test
              http://www.virtools.com
Versions:     <= 3.0.0.100
Platforms:    Windows (seems also Mac is supported)
Bugs:         A] buffer-overflow
              B] directory traversal
Exploitation: remote/local
Date:         30 Sep 2005
Author:       Luigi Auriemma
              e-mail: aluigi (at) autistici (dot) org [email concealed]
              web:    http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Virtools is a set of applications for creating games, demos, CAD,
simulations and other multimedia stuff.
Virtools Web Player is the program which allows the usage of these
creations from the net through its implementation in the web browser.

#######################################################################

=======
2) Bugs
=======

Other than the scripts the Virtools packages (for example those with
extension VMO) contain also some additional files like mp3, wav, images
and so on which are extracted in a temporary folder in the system temp
directory like, for example, c:windowstempVTmp26453

------------------
A] buffer-overflow
------------------

Exists a buffer-overflow bug which happens during the handling of the
names of the files contained in the Virtools packages.
A filename of at least 262 bytes overwrites the EIP register allowing
possible execution of malicious code.

----------------------
B] directory traversal
----------------------

As previously said the files are stored in a temporary directory and if
already exist files with the same names they are fully overwritten.
The problem here is that there are no checks on the filenames so the
usage of the classical ".." patterns allows an attacker to overwrite
any file in the disk where is located the system temp folder (usually
c:).

#######################################################################

===========
3) The Code
===========

http://aluigi.altervista.org/poc/virtbugs.zip

#######################################################################

======
4) Fix
======

Version 3.0.0.101

#######################################################################

--- 
Luigi Auriemma 
http://aluigi.altervista.org
|参考资料

来源:SECUNIA
名称:17034
链接:http://secunia.com/advisories/17034/
来源:BUGTRAQ
名称:20050930Buffer-overflowanddirectorytraversalbugsinVirtoolsWebPlayer
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=112811771331997&w;=2
来源:MISC
链接:http://aluigi.altervista.org/adv/virtbugs-adv.txt
来源:XF
名称:virtools-file-overwrite(22471)
链接:http://xforce.iss.net/xforce/xfdb/22471
来源:BID
名称:14991
链接:http://www.securityfocus.com/bid/14991
来源:SECTRACK
名称:1014993
链接:http://securitytracker.com/id?1014993
来源:SREASON
名称:40
链接:http://securityreason.com/securityalert/40

相关推荐: Nokia 6210 vCard远程拒绝服务攻击漏洞

Nokia 6210 vCard远程拒绝服务攻击漏洞 漏洞ID 1203008 漏洞类型 未知 发布时间 2003-02-25 更新时间 2005-05-13 CVE编号 CVE-2003-0103 CNNVD-ID CNNVD-200303-037 漏洞平台…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享