####################################################################### Luigi Auriemma Application: DivX Player http://www.divx.com/divx/player/ Versions: <= 2.6 Platforms: Windows Bug: arbitrary files overwriting through skins Exploitation: local (or remote through browser) Date: 21 Jan 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== As the name suggests, DivX Player is a Windows player for DivX files. It is included by default in the DivX codec distribuited by DivXNetworks. ####################################################################### ====== 2) Bug ====== The skins used by DivX Player are zip files containing all the needed images and a script file. When the player loads a skin, it unpacks the zip into a folder with the same name of the DPS file located in the temporary system directory. An attacker can overwrite the files on the victim's disk in which is located the temporary folder (usually c:) using the classical directory traversal path like: ..\..\..\..\windows\notepad.exe Can be used both slash and backslash. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/divxplayerbug.zip It overwrites/creates the file c:\folder\divxplayerbug.txt However creating the zip files to exploit the vulnerability is very easy since you need only to modify the names of the files located in the central directory of the zip file (the final part). ####################################################################### ====== 4) Fix ====== No fix. No reply from the vendor. #######################################################################