Wednesday, August 2, 2017

Vulnerability Spotlight: EZB Systems UltraISO ISO Parsing Code Execution Vulnerability

Discovered by Piotr Bania of Cisco Talos.

Today, Talos is releasing details of a new vulnerability discovered within the EZB Systems UltraISO ISO disk image creator software. TALOS-2017-0342 (CVE-2017-2840) may allow an attacker to execute arbitrary code remotely on the vulnerable system when a specially crafted ISO image is opened and parsed by the UltraISO software.

Overview


The vulnerability is present in the EZB Systems UltraISO software, an ISO CD/DVD image file creating/editing/converting tool and a bootable CD/DVD maker. UltraISO can directly edit the CD/DVD image file and extract files and folders from it, as well as directly make ISO files from a CD/DVD-ROM or hard drive.

ISO (9660) disk image format is a file system within a single file. Essentially, it is a binary copy of the file system used by the standard software CD-ROM installation disks. Today, most of the installation disks for popular software and operating systems are distributed using the ISO file format.

Technical details


A buffer overflow vulnerability exists within EZB Systems UltraISO. After "NM" entry is located in the .ISO file UltraISO executes _strncpy function with maxlen argument calculated directly from the ISO header byte field NM_hdr.len - length of alternate name.

UltraISO assumes this field is always larger than 5 bytes. However, if an attacker forces it to be
less than that value the maxlen parameter for the _strncpy function will be extremely big (NM_hdr.len - 5, result is unsigned).

Later, the memset function (inside the _strncpy function) is executed where the extremely big size parameter is used which leads to memory corruption and potential remote code execution.

More details of the vulnerability can be found in the report TALOS-2017-0342.

Discussion


ISO 9660 file format is one of the older formats and its original specification contains several limitations on the file name length, directory depth as well as the maximum file size. These limitations are inherited from older operating systems. Specifically, filename lengths in ISO 9660 file system are limited to maximum 8 characters with maximum 3 characters reserved for the file extension.

Over time, various extensions have been developed to overcome the limitation of the original file format specification. One of the extensions, so called Rock Ridge extension, allows for alternative names to the original file. The alternative name can be longer than the default 8 characters.

A vulnerability in UltraISO software exists when parsing the alternative name (NM) System Use Entry. The structure of the alternative name contains a single byte length field which can be manipulated by the attacker to cause a buffer overflow that may allow remote code execution of code in the context of the UltraISO user.

Although third party disk image utilities can be useful in many cases, it is worth checking if the default operating system functionality satisfies user's needs. Specifically, Windows 8 and later has the built-in capability to mount ISO images, which may remove the need for third party disk imaging utilities.

Users that still have a requirement for a third party disk imaging software should ensure that security updates are applied for the product as soon as they are released to remediate potential attack vectors.

Affected versions


UltraISO version prior to 9.7.0.3476, which includes a fix for the vulnerability.

Coverage


The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 43000 - 43001

No comments:

Post a Comment