日本語 / English

 

2018/08/30 - Additional directory traversal countermeasures

JVN#62121133
Multiple directory traversal vulnerabilities in AttacheCase
https://jvn.jp/en/jp/JVN62121133/

* This patch was applied again becase the fix for vulnerabilities in 2018/08/05 was insufficient.

[ Reproduction procedure ]
AttachéCase uses own format called ATC file and exploit the vulnerability of that file.
Since AttachéCase is open source, tamper with the cryptographic processing source code and builds it.
And the aplication creates encrypted data included incorrect character strings in the file list stored of the encrypted file.

The encrypted file " * .atc " that a list with the following file path etc were inserted was created by the AttachéCase, when the encrypted file was expanded, files were created to the place not intended by the user.

":\Windows\Temp\sample.txt"
":      \Windows\Temp\sample.txt"
"    :\Windows\Temp\sample.txt"
"z    :\Windows\Temp\sample.txt"
"     z:\Windows\Temp\sample.txt"
"1:\Windows\Temp\sample.txt"
"hoge:\Windows\Temp\sample.txt"

However, since a malicious third party has to develop an application with the vulnerability and generate a file, I think that the risk is low.

[ Target version ]
ver.3.3.0.0 earlier.
ver.2.8.4.0 earlier.

[ Avoidance and countermeasures ]
Update the Software.

In the previous version, it was a blacklist-like approach to use regular expressions in order to prevent wrong character strings being get in. However, in this way it means will various security holes be made.
Therefore, according to JPCERT/CC's suggestion that coordinated to published this vulnerability, I decided to canonicalize the file paths at the time of decryption and adopted with the whitelist-like approach which checks whether they are the correct save destination intended by user. I appreciate their advice at this place.

AttachéCase#3 AttachéCase2


2018/08/30 - Vulnerability that it is possible to be executed arbitrary scripts by a setting file "_AtcCase.ini" in decryption

JVN#02037158
AttacheCase vulnerable to arbitrary script execution
https://jvn.jp/en/jp/JVN02037158/

[ Reproduction procedure ]
In the AttachéCase, there is a vulnerability of being executed arbitrary scripts when decrypting the ATC file if there is a setting file "_AtcCase.ini" that is detailed in the same folder as this executable file or ATC file to do.

[ Target version ]
ver.3.3.0.0 earlier.
ver.2.8.4.0 earlier.

[ Avoidance and countermeasures ]
Update the Software.

When the setting file "_AtcCase.ini" is in a correct position and when it is read in, AttachéCase ask the user whether or not to open the file in alert dialog message.
In addition, the ver.3 system also includes setting option not to display a warning dialog message after you would consider the vulnerability.


2018/08/05 - Multiple directory traversal vulnerability

JVN#62121133
Multiple directory traversal vulnerabilities in AttacheCase
https://jvn.jp/en/jp/JVN62121133/

* This vulnerability is a further derivation of the vulnerability reported in 2017/01/16.

[ Reproduction procedure ]
AttachéCase uses own format called ATC file and exploit the vulnerability of that file.
Since AttacheCase is open source, tamper with the cryptographic processing source code and builds it.
And the aplication creates encrypted data included an incorrect character string in the file list stored of the encrypted file.

Create data included multiple ".. \" or "../", blanks, drive name that does not exist, "\\ localhost" in the expanded file name.
When expanded the ATC file with the AttacheCase, found it the encrypted file has been expanded in a location not intended by the user.

However, since a malicious third party has to develop an application with the vulnerability and generate a file, I think that the risk is low.

[ Target version ]
ver.3.2.3.0 earlier.
ver.2.8.3.0 earlier.

[ Avoidance and countermeasures ]
As a modification on my side, "decryption processing" part. I Fixed to cancel this process if illegal characters come in the path.
AttacheCase#3 AttacheCase


2017/07/13 - Reading arbitrary DLL in self executable file ( DLL Hijack, DLL Preload )

[ Reproduction procedure ]
Self-executable form of encrypted file created in the AttachéCase has a problem in the search path when loading the DLL, and there is a vulnerability that reads an unintended DLL.

  1. Place "DWMAPI.DLL" and "DWrite.dll" etc. that you disguised as a Trojan horse prepared by an attacker with Windows (32bit / 64bit) in the directory.
  2. Place the self-executable format file encrypted with the AttachéCase in the directory.
  3. When executing this EXE, the Trojan horse is unintentionally read and executed.

The other file names reproduced in Windows 10 (64 bit) are as follows.

  • WTSAPI32.DLL
  • PROPSYS.DLL
  • MSIMG32.DLL
  • INDOWSCODECS.DLL
  • WINSTA.dll

[ Version in which the problem occurs ]
It occurs in the current version.

[ Avoidance and countermeasures ]
Presently, in order to avoid this problem, please operate while paying attention to the following points.

  • Self-extracting archive file is saved in the newly created directory, and executed with no other unrelated file.
  • Make sure that untrusted files do not exist in the directory in which the self-extracting archive file is executed.
  • Self-extracting archive file place the directory in read-only mode if it is operating in such a way that it is placed in a shared directory and executed.
  • Self-extracting archive file is in principle operated with a standard user account without administrator authority, and it is operated only with the administrator account when necessary.


 Demonstration source code ( VS Express for Desktop 2015 is ready )

"DWMAPI.DLL" and "DWrite.dll" in the "Debug", "Release" directory in the demonstration code are DLLs that have configured DLL preloading. The source code of the verification DLL is as follows.

#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
  MessageBox(NULL,
      "This program is vulnerable to DLL Hijacking.",
      "DLL Hijacked",
       MB_OK);
   return TRUE;
 }

Secure loading of libraries to prevent DLL preloading attacks I read this and added "SetDllDirectory (" ");" to the source code, but in either case the DLL will be loaded before the entry point and the DLL will be executed.

Even if I examine it on the website, there are also informations that there is no way to do it on the .NET Framework C #, or there is way to do in the intermediate language level, and I have not yet got an actual answer.

Also, the same phenomenon is occurring in the old version (ver. 2), which is C ++. I tried to examine various web sites, but I still could not find a countermeasure either.

Similarly, if you place a DLL containing a Trojan horse, it will be loaded before the entry point. Regarding here as well, if someone knows the countermeasure, I would be helpful if you can give me it.

Please email me.

Mitsuhiro Hibara

2017/01/16 - Directory traversal vulnerability

[ Reproduction procedure ]
In the Attache case, I use a proprietary format called ATC file and save the expanded file name in the ATC file.

You made an ATC file with ".. \" added at the beginning of the expanded file name, and expanded the ATC file, and then the file was expanded in the parent directory of the extraction destination directory.

However, since a malicious third party has to develop an application with the vulnerability and generate a file, I think that the risk is low.

[ Target version ]
ver.3.0.1.5 earlier.
ver.2.8.2.8 earlier.

[ Avoidance and countermeasures ]
Users should update to the latest version promptly.
Fixed to stop this process when ".. \" comes in.

JVN#83917769
AttacheCase vulnerable to directory traversal
https://jvn.jp/en/jp/JVN83917769/


2010/12/17 - Reading any executable file ( Binary planing )

[ Reproduction procedure ]
In the Attache Case, after decrypting the folder, perform an operation setting to automatically open the folder. If an arbitrary compressed file and an arbitrary executable file named "explorer.exe" are saved in the same folder and the compressed file is expanded with the target software, an arbitrary executable file in the same folder is read. It can be exploited for attacks via USB memory and network folders.

[ Target version ]
ver.2.69 earlier.

[ Avoidance and countermeasures ]
Users should update to the latest version promptly.
The fifth argument of "ShellExecute" API was set to "NULL", but it become to be specified as the default directory properly.

JVN#02175694
AttacheCase may insecurely load executable files
https://jvn.jp/en/jp/JVN02175694/


If you have any question about vulnerability, please contact the following E-mail address.

Mitsuhiro Hibara