93054 2005-05-18 04:51 0000 app-cdr/[xbiso|extract-xiso|xdvdfs-tools]: directory traversal when extracting xbox-images 2005-05-27 13:38:16 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified x86 Linux RESOLVED FIXED B3 [noglsa] koon P2 minor --- 1 dercorny@gentoo.org security@gentoo.org chrb@gentoo.org hostmaster@ed-soft.at dercorny@gentoo.org 2005-05-18 04:51:05 0000 When extracting a specially crafted xbox-iso image, it is possible to traverse directories. Maybe it's possible to overwrite the .bashrc with arbitrary code. Reproducible: Always Steps to Reproduce: 1. Get a specially crafted ISO-File 2. Extract 3. Check results Actual Results: bash-2.05b$ extract-xiso test.iso extract-xiso v2.4b2 for linux - written by in <in@fishtank.com> extracting test.iso: extracting test/.%2f..%2f..%2f..%2fTESTFILE (0 bytes) [OK] extracting test/./../../xploit (0 bytes) [OK] extracting test/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA~ (0 bytes) [OK] extracting test/OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO (0 bytes) [OK] 4 files in test.iso total 0 bytes bash-2.05b$ xdvdfs_extract test.iso Opening input file / device... Mounting filesystem... Extracting files... /./../../xploit /.%2f..%2f..%2f..%2fTESTFILE /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA~ /OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO Done. bash-2.05b$ xbiso test.iso bash: xbiso: command not found bash-2.05b$ ./xbiso test.iso Failed to create root directory: File exists Extracting file ./../../xploit Extracting file AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA~ Extracting file OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO Extracting file .%2f..%2f..%2f..%2fTESTFILE End of archive Expected Results: Do whatever is necessary to prohibit directory traversals koon@gentoo.org 2005-05-18 07:48:19 0000 Upstream looks dead on xbiso and extract-xiso... chrb@gentoo.org 2005-05-18 10:29:05 0000 xiso bugzilla has a bug open for "Segmentation Fault (due to 'long filenames'?)" for a while. It's probably exploitable as well. I guess when these apps were written nobody thought about malicious ISO images. There's a perl port of xbiso at http://www.bogus.net/~codex/files/xbiso.tar.gz. Maybe it could be a suitable replacement (assuming it does better path checking, it does at least force a -d option) if no fix is forthcoming. xdvdfs-tools seems to have an official page now http://www.layouts.xbox-scene.com/ and a newer 2.1 release. Stefan, do you have any idea whether it's also vulnerable? dercorny@gentoo.org 2005-05-18 10:43:23 0000 xdvds_extract 2.1 has the same problem. chrb@gentoo.org 2005-05-19 03:23:52 0000 Maybe you could report it upstream? I had a quick look at the new xdvdfs tools site but couldn't find an email address anywhere. dercorny@gentoo.org 2005-05-19 05:55:56 0000 Ok, I tried to contact a guy called VooD via an email-address i found in his forum-profile. Let's hope it works... dercorny@gentoo.org 2005-05-19 13:56:43 0000 Got a response from Vood. Upstream (Somebody called CloneXB) is now aware of this, but it'll probably take some time till he updates, since he is very busy. vood_atari@hotmail.com 2005-05-20 15:22:11 0000 Hi, I checked the extractor code, and I think CloneXB didn vood_atari@hotmail.com 2005-05-20 15:22:11 0000 Hi, I checked the extractor code, and I think CloneXB didn´t make any change from the original by [SNK]/Supremacy. The extractor fitted our needs so we didn´t need to change anything and we focused on the xbox layout dumper and new options/fixes for the creator. Anyway is in pure C, and is very simple,so I think It won´t be hard for a medium linux user to fix that. Also, I think CloneXB has not coding experiences with linux so...maybe you´ll get a faster solution by just asking some good linux coder to fix the problem. Btw, sorry for not including any email adress on the web, but I use to visit the web´s forums everyday, and either CloneXB, Moobar, and me are easily accesible from Xbox-Scene forums. (I had VERY bad experiences with spam, and users in a previous project) If some of you finally manages to fix that security issue let me know, so I could send the fixes to CloneXB and include them in the next "official" release...maybe we should open a sf.net account but XBDVDFS_tools original coder is hard to contact (VERY...in fact all the feedback we got from him in 6 months of work was a post in xbox-scene) and I think we should first ask him for his permission. Regards chrb@gentoo.org 2005-05-21 04:26:58 0000 I've commited fixes for them all. xdvdfs-tools is version bumped and only the latest one has the fix (I'll remove the older one if it works ;-)). Stefan can you please test whether the fixes work with your modified ISOs and report back. As regards sourceforge, I'd say go for it, since it's GPL license and the original author appears to have abandoned it. dercorny@gentoo.org 2005-05-21 07:44:28 0000 None of my modified images works with the patched version of xdvdfs-tools. Good work. VooD, an sf-project would be great. xdvdfs-tools is, imho, the best tool of the 3 mentioned in this bug, give it a try! chrb@gentoo.org 2005-05-22 09:22:36 0000 Created an attachment (id=59552) xdvdfs-tools-2.1-fnamefix.patch chrb@gentoo.org 2005-05-22 09:23:23 0000 xbiso and extract-xiso patches submitted upstream, maybe someone will take care of them. Attaching xdvdfs-tools patch here, since it has no upstream. Closing. koon@gentoo.org 2005-05-22 12:58:46 0000 Chris: security will close it when the vulnerability will be fixed... Please bump xdvdfs-tools with the patch, and we'll wait for upstream on the other two. chrb@gentoo.org 2005-05-22 15:41:38 0000 I've already commited patches for them all. I have a feeling upstream may be unresponsive.. koon@gentoo.org 2005-05-23 02:32:43 0000 Great :) Could you revbump them so that people pick the fix up by upgrading ? This is also needed for GLSA, should we include one. Thx in advance chrb@gentoo.org 2005-05-25 16:17:12 0000 Done. koon@gentoo.org 2005-05-26 03:03:38 0000 Thx Chris ! Ready for GLSA vote vorlon@gentoo.org 2005-05-27 09:01:34 0000 I vote for a GLSA on this one. dercorny@gentoo.org 2005-05-27 09:23:34 0000 i'm no real dev, but i vote for no GLSA. exploitation is hard (i'm not really sure if its possible to extract actual content to files, i only managed to overwrite with 0byte files, you've got to know the name of the file to overwrite etc) it's a poor directory traversal and the affected tools aren't widely spread. jaervosz@gentoo.org 2005-05-27 10:28:32 0000 I tend to vote NO on this one too. koon@gentoo.org 2005-05-27 13:38:16 0000 Agreed it's a little unlikely, voting NO and closing. 59552 2005-05-22 09:22 0000 xdvdfs-tools-2.1-fnamefix.patch xdvdfs-tools-2.1-fnamefix.patch text/plain LS0tIFhEVkRGU19Ub29scy5vcmlnL3NyYy94ZHZkZnMveGR2ZGZzLmMJMjAwMy0wOC0xNSAyMzoy Njo1OC4wMDAwMDAwMDAgKzAwMDAKKysrIFhEVkRGU19Ub29scy9zcmMveGR2ZGZzL3hkdmRmcy5j CTIwMDUtMDUtMjEgMTI6MTM6NTUuNjU1ODM5MjE2ICswMDAwCkBAIC0xNTcsNiArMTU3LDE0IEBA CiAJbWVtY3B5KFNlYXJjaFJlY29yZC0+RmlsZW5hbWUsIEVudHJ5LT5GaWxlbmFtZSwgRW50cnkt PkZpbGVuYW1lTGVuZ3RoKTsKIAlTZWFyY2hSZWNvcmQtPkZpbGVuYW1lW0VudHJ5LT5GaWxlbmFt ZUxlbmd0aF0gPSAwOwogCisJaWYgKHN0cnN0cihTZWFyY2hSZWNvcmQtPkZpbGVuYW1lLCIuLiIp IHx8IAorCSAgICBzdHJjaHIoU2VhcmNoUmVjb3JkLT5GaWxlbmFtZSwgJy8nKSB8fCAKKwkgICAg c3RyY2hyKFNlYXJjaFJlY29yZC0+RmlsZW5hbWUsICdcXCcpKQorCSAgeworCSAgICBwcmludGYo IkZpbGVuYW1lIGNvbnRhaW5zIGludmFsaWQgY2hhcmFjdGVyc1xuIik7CisJICAgIGV4aXQoMSk7 CisJICB9CisKIAkvLyBDb3B5IGZpbGUgcGFyYW1ldGVycyBpbiB0aGUgc2VhcmNoX3JlYwogCVNl YXJjaFJlY29yZC0+QXR0cmlidXRlcyA9IEVudHJ5LT5GaWxlQXR0cmlidXRlczsKIAlTZWFyY2hS ZWNvcmQtPkZpbGVTaXplID0gRU5ESUFOX1NBRkUzMihFbnRyeS0+RmlsZVNpemUpOwo=