[NT] Virtools Web PlayerMultiple Vulnerabilities (Buffer-Overflow, Directory Traversal)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Virtools Web PlayerMultiple Vulnerabilities (Buffer-Overflow, Directory
Traversal)
------------------------------------------------------------------------

SUMMARY

" <http://www.virtools.com> Virtools is a set of applications for creating
games, demos, CAD, simulations and other multimedia stuff."

Virtools does not validate filenames and their length, allowing local
attackers to execute arbitrary code using a buffer overflow and a
directory traversal vulnerabilities.

DETAILS

Vulnerable Systems:
* Virtools version 3.0.0.100

Immune Systems:
* Virtools version 3.0.0.101

Buffer Overflow:
Exists a buffer-overflow bug which happens during the handling of the
names of the files contained in the Virtools packages. A filename of at
least 262 bytes overwrites the EIP register allowing possible execution of
malicious code.

Directory Traversal:
The plugins files stored in a temporary directory and if already exist
files with the same names they are fully overwritten. The problem here is
that there are no checks on the filenames so the usage of the classical
"..\" patterns allows an attacker to overwrite any file in the disk where
is located the system temp folder (usually c:\).

Exploit:
/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>

#ifdef WIN32
#include <io.h>

typedef unsigned char u_char;
typedef unsigned int u_int;
#define ftruncate chsize
#else
#include <unistd.h>
#include <sys/types.h>