Friday, May 5, 2017

Vulnerability Spotlight: Power Software PowerISO ISO Code Execution Vulnerabilities

These vulnerabilities were discovered by Piotr Bania of Cisco Talos.

Today, Talos is releasing details of a new vulnerability discovered within the Power Software PowerISO disk imaging software. TALOS-2017-0318 and TALOS-2017-0324 may allow an attacker to execute arbitrary code remotely on the vulnerable system when a specially crafted ISO image is opened and parsed by the PowerISO software.

Overview


The vulnerabilities are present in the Power Software PowerISO disk imaging utility, used by Windows users to create, edit, mount and convert various popular disk image file formats. The software is commonly used by home users to mount ISO disk images since this capability is not included by default in Windows versions prior to version 8.

ISO (9660) disk image format is a file system within a single file. Essentially, it is a binary copy of the file system used by the standard software CD-ROM installation disks. Today, most of the installation disks for popular software and operating systems are distributed using the ISO file format.


TALOS-2017-0318 - Power Software PowerISO ISO Code Execution Vulnerability (CVE-2017-2817)


A stack buffer overflow vulnerability exists in the ISO image parsing functionality of Power Software Ltd PowerISO disk imaging software. A specially crafted .ISO file can cause a vulnerability resulting in potential code execution. An attacker can send specific .ISO file to trigger this vulnerability. More details of the vulnerability can be found in the report TALOS-2017-0318.

TALOS-2017-0324 - PowerISO ISO Parsing Use After Free Vulnerability (CVE-2017-2823)


A use-after-free vulnerability exists in the .ISO parsing functionality of PowerISO 6.8. A specially crafted .ISO file can cause a vulnerability resulting in potential code execution. An attacker can send a specific .ISO file to trigger this vulnerability. More details about the discovered vulnerability are available in the report TALOS-2017-0324

Known vulnerable versions


PowerISO 6.8.

Discussion


ISO 9660 file format is one of the older formats and its original specification contains several limitations on the file name length, directory depth as well as the maximum file size. These limitations are inherited from older operating systems. Specifically, filename lengths in ISO 9660 file system are limited to maximum 8 characters with maximum 3 characters reserved for the file extension.

Over time, various extensions have been developed to overcome the limitation of the original file format specification. One of the extensions, so called Rock Ridge extension, allows for alternative names to the original file. The alternative name can be longer than the default 8 characters.

A vulnerability in PowerISO software exists when parsing the alternative name (NM) System Use Entry. The structure of the alternative name contains a single byte length field which can be manipulated by the attacker to cause a stack buffer overflow that may allow remote code execution of code in the context of the PowerISO user.

Although third party disk image utilities can be useful in many cases, it is worth checking if the default operating system functionality satisfies user's needs. Specifically, Windows 8 and later has the built-in capability to mount ISO images, which may remove the need for third party disk imaging utilities.

Users that still have a requirement for a third party disk imaging software should ensure that security updates are applied for the product as soon as they are released to remediate potential attack vectors.

Coverage


The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 42263-42272 (TALOS-2017-0318)
42321,42322 (TALOS-2017-0324)

No comments:

Post a Comment