lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 10 Sep 2003 18:35:45 -0000
From: hUNTER 007 <door_hunt3r@...ckcodemail.com>
To: bugtraq@...urityfocus.com
Subject: Multiple* bug's associated with Win xp default zip Manager...




1).
---DESCRIPTION---
 Win xp default zip manager prompt's for a password, [even* when there is 
no password] if the zipped file has folder/s with more than 121 sub 
directories in it, but this situation does vary with some condition as 
specified below...

---Bug Demonstration---
---------------
Create a batch script (*.bat)
---------------
 :lol
 md 1
 cd 1
 goto lol
-------------
[OR, download] http://www.geocities.com/visitbipin/winxp_zip_bug.zip

 If you "execute" this batch script [*.bat] from your root, [ ie   c:\  ] 
windows can at-most create 121'th sub directory, ie \..\1\1\1\..\...[upto 
121'th sub directory,] then the batch script ends with a error messages...

 Now say if i put "md 12" instead of "md 1" to the above script, [ie two 
characters 
 Directory name instead of one"] windows can at most create... 80 sub 
directory!

 Again, say if i put md 12345 ->"five character directory name in the 
same way..."<- 
 windows can at most create... 39 sub directory!

 HENCE, IF you simply ZIP A FILE WITH SAY 39 SUB-DIRECTORY in it with 5 
character directory name as explained in the above demonstration [ie: md 
12345 ] Win xp default zip manager prompts for a password in extraction 
process [copy the 12345.zip file to c:\windows\system32 and try 
extracting it there] but when you use a third party software, it simply 
ends up with an error. [as windows has restrictions on creating number of 
sub - directories which is proportional to the number of characters used 
to label a folder!]

Moreover it even prompt for password to file names that doesn't exists!

---Conclusion---
Concluding from the experiment conducted from LINUX, on a fat32/ntfs 
partition, it seems the problem isn't with the "file system itself" but 
it occurs due to the restriction of windows!

__________________________________________________________________________

2).
---Description---
Win xp default zip manager can't handle long file names properly...

---Bug Demonstration---
Create a new file with very long file name... in your c:\
 [ say:
1.111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111 ] 

[or, download]   http://www.geocities.com/visitbipin/zip_long.zip

Windows xp will easily allow you to create that file, now zip the file [ 
above mentioned ie 1.11111111111111111111* ] using winxp default zip 
manager, [say, the new file created is 1.zip]
But strangely, if you open the file [1.zip] with windows explorer [ie 
view it's content] You can neither see a file name nor its extension in 
the archive but simply its icon only!

Moreover, windows xp doesn't allow you to delete the long file created in 
the above example, through GUI mode [...have to use command prompt] and 
end up with an error Can't delete 1 : The folder is empty. [actually its 
a file!]
__________________________________________________________________________
_

3).
---Description---
A probable buffer overflow with winxp default zip manager! [zipfldr.dll]

---Demonstration---
http://www.geocities.com/visitbipin/hUNTER_.zip

Well, as win xp automatically creates a bug report of a crash, the bug is 
self explanatory.
Simply try extracting the above file using win xp default zip manager or 
try viewing the file hUNTER_..PKT YOUR EXPLORER WILL CRASH!

--[Background Information]--
These bug's were originally discovered by hUNT3R, [myself] a member of 01 
Security Sumbission. The vendor was notified via email.
---[about 01 security submission]---
01s.s is a small group having experience as security specialists, 
programmers and system administrators.
http://www.ysgnet.com/hn

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ