HISPASEC Security Advisory http://blog.hispasec.com/lab/
Name : Fileinfo multiple vulnerabilities Class : Local DoS, Information Spoofing Threat level : Low Discovered : 2007-08-05 Published : 2007-08-20 Credit : Gynvael Coldwind Vulnerable : 2.0.9, prior versions also may be affected == Abstract == Fileinfo is a lister plugin for Total Commander, made by Francois Gannier. It allows the user to view the structure of MZ, PE and COFF files. Fileinfo fails to check the sanity of input data, which successfully exploited can lead to denying service to the legitimate user or can allow injection of additional false information to the displayed ones. == Details == 1. In a PE file, the IMAGE_IMPORT_DESCRIPTOR contains fields named OriginalFirstThunk and FirstThunk. Both of them point to an array of IMAGE_THUNK_DATA structures. The structure may contain an RVA address of the name of the imported function. If this pointer to the name of the function is invalid, Fileinfo raises an Access Violation exception, which being unhandled, causes Denial of Service condition. This ends up terminating both Fileinfo plugin and the Total Commander process. 2. In a PE file, the IMAGE_EXPORT_DIRECTORY contains a field named AddressOfNames, which points to an array of RVA addresses of function names. Just like in point 1, if the pointer is invalid, Fileinfo raises an Access Violation exception, which causes DoS condition. 3. In a PE file, the IMAGE_OPTIONAL_HEADER contains an array of IMAGE_DATA_DIRECTORY structures called DataDirectory. This structure contains, above other, the size of the import directory. Fileinfo fails to check this field in the Image File Header tab, which may lead to printing out information about false DLL files, that in reality are not loaded and not used. 4. In a PE file, the IMAGE_IMPORT_DESCRIPTOR contains pointers to arrays of pointer to strings, and a pointer to a name of the DLL being loaded. Additional to this, IMAGE_EXPORT_DIRECTORY also contains a pointer to an array of pointer to strings. If any of this strings is malformed, it is written out "as is", without proper handling of \r and \n characters, and without any size check. This allows to forge the string to look like original Fileinfo information in the Image File Header tab. This can be used to misinform the user about the structure of the PE file, it's imports and exports. Additionally, using together points 3. and any other allows to create a working PE file, which causes DoS condition to Fileinfo, or misinforms the user about the structure of PE file. == Proof of concept == http://blog.hispasec.com/lab/files/Fileinfo_DoS.exe http://blog.hispasec.com/lab/files/Fileinfo_Spoof.exe http://blog.hispasec.com/lab/files/Fileinfo_Spoof_Action.png == Vendor status and solution == The vendor has been informed, but has not yet released a patched version. Until a new-fixed version is released, it is advised to becareful while viewing PE files from unknown sources. == Disclaimer == This document and all the information it contains is provided "as is", without any warranty. Hispasec Sistemas is not responsible for the misuse of the information provided in this advisory. The advisory is provided for educational purposes only. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. Copyright (C) 2007 Hispasec Sistemas. -- Gynvael Coldwind mailto: [EMAIL PROTECTED] mailto: [EMAIL PROTECTED]