Vulnerabilities in AttacheCase

This page contains details about the vulnerabilities discovered and reported in the "AttacheCase" and how to avoid or respond to them.

2022/03/30 - AttacheCase may insecurely load Dynamic Link Libraries

JVN#10140834
AttacheCase may insecurely load Dynamic Link Libraries
https://jvn.jp/en/jp/JVN10140834/

[ Reproduction procedure ]

Placing a maliciously modified "dwmapi.dll" in the location of the "AttacheCase4" executable file (AttacheCase.exe) that may allow arbitrary code to be executed.

[ Target version ]

ver.4.0.2.7 earlier.

[ Avoidance and countermeasures ]

Please update to the latest version as soon as possible.

More specifically, instead of searching for the location of the executable file (AttacheCase.exe), "dwmapi.dll" is necessary for the operation of AttacheCase4, was modified to search and load only in "system32".

When loading "dwmapi.dll", load it directly from the "system32" directory.

2022/03/30 - Self-Extracting Encrypted Files created by AttacheCase may insecurely load Dynamic Link Libraries

JVN#61502349
Self-Extracting Encrypted Files created by AttacheCase may insecurely load Dynamic Link Libraries
https://jvn.jp/en/jp/JVN61502349/

[ Reproduction procedure ]

Placing a specific DLL file in the location where the self-extracting archive file output by "AttacheCase#3" and "AttacheCase4" and the main body "AttacheCase.exe" are located may result in DLL hijacking (DLL preloading).

This vulnerability was previously reported in AttacheCase#3 on 2017/07/13, but was only a warning to use the software without a specific remedy.
However, the DLL loading vulnerability countermeasure in the previous section can now fixed it as well.

[ Target version ]

ver.4.0.2.7 earlier.
ver.3.1.6.0 earlier.

[ Avoidance and countermeasures ]

Please update "AttacheCase4" and "AttacheCase#3" to the latest version as soon as possible, and recreate the self-extracting archive file format (exe) encrypted files created with the vulnerable version with the latest version.

Specifically, as with the vulnerability countermeasure described in the previous section, the default specification of Windows is to go to the location where the executable file is loaded a specific DLL file, but the workaround was to change and specify the destination to be searched to "system32" by calling API "SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32)".

2018/08/30 - Additional directory traversal countermeasures

JVN#62121133
Multiple directory traversal vulnerabilities in AttacheCase
https://jvn.jp/en/jp/JVN62121133/

* This patch was applied again becase the fix for vulnerabilities in 2018/08/05 was insufficient.

[ Reproduction procedure ]
AttachéCase uses own format called ATC file and exploit the vulnerability of that file.
Since AttachéCase is open source, tamper with the cryptographic processing source code and builds it.
And the aplication creates encrypted data included incorrect character strings in the file list stored of the encrypted file.

The encrypted file " * .atc " that a list with the following file path etc were inserted was created by the AttachéCase, when the encrypted file was expanded, files were created to the place not intended by the user.

":\Windows\Temp\sample.txt"
":      \Windows\Temp\sample.txt"
"    :\Windows\Temp\sample.txt"
"z    :\Windows\Temp\sample.txt"
"     z:\Windows\Temp\sample.txt"
"1:\Windows\Temp\sample.txt"
"hoge:\Windows\Temp\sample.txt"

However, since a malicious third party has to develop an application with the vulnerability and generate a file, I think that the risk is low.

[ Target version ]

ver.3.3.0.0 earlier.
ver.2.8.4.0 earlier.

[ Avoidance and countermeasures ]

Update the Software.

In the previous version, it was a blacklist-like approach to use regular expressions in order to prevent wrong character strings being get in. However, in this way it means will various security holes be made.
Therefore, according to JPCERT/CC's suggestion that coordinated to published this vulnerability, I decided to canonicalize the file paths at the time of decryption and adopted with the whitelist-like approach which checks whether they are the correct save destination intended by user. I appreciate their advice at this place.

AttachéCase#3 AttachéCase2

2018/08/30 - Vulnerability that it is possible to be executed arbitrary scripts by a setting file "_AtcCase.ini" in decryption

JVN#02037158
AttacheCase vulnerable to arbitrary script execution
https://jvn.jp/en/jp/JVN02037158/

[ Reproduction procedure ]

In the AttachéCase, there is a vulnerability of being executed arbitrary scripts when decrypting the ATC file if there is a setting file "_AtcCase.ini" that is detailed in the same folder as this executable file or ATC file to do.

[ Target version ]

ver.3.3.0.0 earlier.
ver.2.8.4.0 earlier.

[ Avoidance and countermeasures ]

Update the Software.

When the setting file "_AtcCase.ini" is in a correct position and when it is read in, AttachéCase ask the user whether or not to open the file in alert dialog message.
In addition, the ver.3 system also includes setting option not to display a warning dialog message after you would consider the vulnerability.

2018/08/05 - Multiple directory traversal vulnerability

JVN#62121133
Multiple directory traversal vulnerabilities in AttacheCase
https://jvn.jp/en/jp/JVN62121133/

* This vulnerability is a further derivation of the vulnerability reported in 2017/01/16.

[ Reproduction procedure ]

AttachéCase uses own format called ATC file and exploit the vulnerability of that file.
Since AttacheCase is open source, tamper with the cryptographic processing source code and builds it.
And the aplication creates encrypted data included an incorrect character string in the file list stored of the encrypted file.

Create data included multiple ".. \" or "../", blanks, drive name that does not exist, "\\ localhost" in the expanded file name.
When expanded the ATC file with the AttacheCase, found it the encrypted file has been expanded in a location not intended by the user.

However, since a malicious third party has to develop an application with the vulnerability and generate a file, I think that the risk is low.

[ Target version ]

ver.3.2.3.0 earlier.
ver.2.8.3.0 earlier.

[ Avoidance and countermeasures ]

As a modification on my side, "decryption processing" part. I Fixed to cancel this process if illegal characters come in the path.
AttacheCase#3 AttacheCase

2017/07/13 - Reading arbitrary DLL in self executable file ( DLL Hijack, DLL Preload )

JVN#61502349
Self-Extracting Encrypted Files created by AttacheCase may insecurely load Dynamic Link Libraries
https://jvn.jp/en/jp/JVN61502349/

[ Reproduction procedure ]

Self-executable form of encrypted file created in the AttachéCase has a problem in the search path when loading the DLL, and there is a vulnerability that reads an unintended DLL.

  1. Place "DWMAPI.DLL" and "DWrite.dll" etc. that you disguised as a Trojan horse prepared by an attacker with Windows (32bit / 64bit) in the directory.
  2. Place the self-executable format file encrypted with the AttachéCase in the directory.
  3. When executing this EXE, the Trojan horse is unintentionally read and executed.

The other file names reproduced in Windows 10 (64 bit) are as follows.

  • WTSAPI32.DLL
  • PROPSYS.DLL
  • MSIMG32.DLL
  • INDOWSCODECS.DLL
  • WINSTA.dll

[ Version in which the problem occurs ]

ver.4.0.2.7 earlier.
ver.3.1.6.0 earlier.

[ Avoidance and countermeasures ]

Please update "AttacheCase4" and "AttacheCase#3" to the latest version as soon as possible, and recreate the self-extracting archive file format (exe) encrypted files created with the vulnerable version with the latest version.

Specifically, as with the vulnerability countermeasure described in the previous section, the default specification of Windows is to go to the location where the executable file is loaded a specific DLL file, but the workaround was to change and specify the destination to be searched to "system32" by calling API "SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32)".

2017/01/16 - Directory traversal vulnerability

JVN#83917769
AttacheCase vulnerable to directory traversal
https://jvn.jp/en/jp/JVN83917769/

[ Reproduction procedure ]

In the Attache case, I use a proprietary format called ATC file and save the expanded file name in the ATC file.

You made an ATC file with ".. \" added at the beginning of the expanded file name, and expanded the ATC file, and then the file was expanded in the parent directory of the extraction destination directory.

However, since a malicious third party has to develop an application with the vulnerability and generate a file, I think that the risk is low.

[ Target version ]

ver.3.0.1.5 earlier.
ver.2.8.2.8 earlier.

[ Avoidance and countermeasures ]
Users should update to the latest version promptly.
Fixed to stop this process when ".. \" comes in.

2010/12/17 - Reading any executable file ( Binary planing )

JVN#02175694
AttacheCase may insecurely load executable files
https://jvn.jp/en/jp/JVN02175694/

[ Reproduction procedure ]

In the Attache Case, after decrypting the folder, perform an operation setting to automatically open the folder. If an arbitrary compressed file and an arbitrary executable file named "explorer.exe" are saved in the same folder and the compressed file is expanded with the target software, an arbitrary executable file in the same folder is read. It can be exploited for attacks via USB memory and network folders.

[ Target version ]

ver.2.69 earlier.

[ Avoidance and countermeasures ]
Users should update to the latest version promptly.
The fifth argument of "ShellExecute" API was set to "NULL", but it become to be specified as the default directory properly.