[转载]DivX Player Skin Directory Traversal

信息来源：www.securiteam.com

Summary
As the name suggests, DivX Player is "a Windows player for DivX files. It is included by default in the DivX codec distributed by DivXNetworks".

Due to improper filtering by the DivX Player skin installer, an attacker can cause DivX Player to overwrite arbitrary files by utilizing a directory traversal vulnerability.

Credit:
The information has been provided by Luigi Auriemma.
The original article can be found at: http://aluigi.altervista.org/adv/divxplayer-adv.txt

Details
Vulnerable Systems:
* DivX Player version 2.6 and prior

The skins used by DivX Player are actually zip files containing all the needed images and a script file. When the player loads a skin, it unpacks the skin in the temporary system directory into a folder folder named with the DPS's name.

An attacker can overwrite the files on the victim's disk in that is located the temporary folder (usually c:) using the classical directory traversal path like:
..\..\..\..\windows\notepad.exe

Can be used both slash and backslash.

Proof of concept:
A proof of concept can be downloaded from: http://aluigi.altervista.org/poc/divxplayerbug.dps