####################################################################### Luigi Auriemma Application: NeoAxis web player http://www.neoaxis.com Versions: <= 1.4 Platforms: Windows Bug: directory traversal Exploitation: remote Date: 15 Jan 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's homepage: "NeoAxis Engine is an all-purpose 3D engine for game development, simulation and visualization systems creation." The web player is a plugin for the web browser for running the content online. ####################################################################### ====== 2) Bug ====== For being played by the plugin the web content must be placed in a zip file called neoaxis_web_application_win32.zip and must be created a neoaxis_web_application.config file containing the size and the md5 hash of that zip. When the browser visits the page where is located the content it will ask first for the permission to download it and then to run it. In the downloading phase the zip file will be placed in the Cache folder of the "NeoAxis Web Player" user's folder and when the user runs it all the files will be extracted in the ExtractedApplications folder. No checks are performed on the extracted filenames so it's enough to use a classical directory traversal pattern for writing or overwriting the files outside the ExtractedApplications folder. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/neoaxis_1.zip Put the files on a web server and load neoaxis_1.htm. Note that by default the html file will load the content from http://localhost so modify that URL accordingly to match the address of the test server. The proof-of-concept will write the file evil.bat in the Startup folder of the user. ####################################################################### ====== 4) Fix ====== No fix. #######################################################################