lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <003301c4f3c8$5a9d8d20$f85ab350@noone>
Date: Thu, 06 Jan 2005 10:18:51 +0200
From: "Rafel Ivgi, The-Insider" <theinsider@....net.il>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com,
 Windows NTBugtraq Mailing List <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>,
 vulnwatch@...nwatch.org, news@...uriteam.com,
 "securitytracker.com" <bugs@...uritytracker.com>
Subject: WinHKI - LHA File Incorrect Filename Handeling Leads to Crash/Underflow


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:    WinHKI
Vendors:        http://www.webtoolmaster.com
Versions:       1.4d
Platforms:      Windows
Bug:            LHA File Incorrect Filename Handeling Leads to
Crash/Underflow
Exploitation:   Local (extract file)
Date:           24 Dec 2004
Author:         Rafel Ivgi, The-Insider
E-Mail:         the_insider@...l.com
Website:        http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

WinHKI is a file archiever which supports: LHA, CAB, HKI, JAR, LHA,TAR, GZ
compressions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

This is a normal LHA compressed file header

00000000 1EFF 2D6C 6830 2D1B 0000 001B 0000 0039 ..-lh0-........9
00000010 7378 3120 0008 5C31 3032 2E68 746D 4543 sx1 ..\102.htmEC
00000020 3C73 6372 6970 7466 3E61 6C65 7274 2829 <scriptf>alert()
00000030 3C2F 7363 7269 7074 3E0D 0A62 5F2D 6C68 </script>..b_-lh
00000040 642D 0000 0000 0000 0000 94A4 8431 1000 d-...........1..

The last byte in the following code, specifies the length of the
compressed file name. Once its smaller than the filename's length
WinHKI crashes.

00000000 1EFF 2D6C 6830 2D1B 0000 001B 0000 0039 ..-lh0-........9
00000010 7378 3120 0020                          sx1 .

This may be an underflow, i couln't tell its an
underflow for sure because my MSDEV went into a 100 CPU% loop
while debugging this.
All we need to do is shorten the length of the filename specified inside the
file
or to change the byte which sets the filename's size to a higher value.
For Example:

00000000 1EFF 2D6C 6830 2D1B 0000 001B 0000 0039 ..-lh0-........9
00000010 7378 3120 0020 5C31 3073 7373 7373 7373 sx1 . \10sssssss
00000020 3232 2E68 746D 4543 3C73 6372 6970 7466 22.htmEC<scriptf
00000030 3E61 6C65 7274 2829 3C2F 7363 7269 7074 >alert()</script
00000040 3E0D 0A62 5F2D 6C68 642D 0000 0000 0000 >..b_-lhd-......
00000050 0000 94A4 8431 1000 4C5C 446F 6375 6D65 .....1..L\Docume

Using any Hex editor such as HexWorkshop, just add anything to the filename.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

An online proof of concept can be found at:
http://theinsider.deep-ice.com/poc.lha - (also contains folder names from my
old computer...)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Scripts and Codes will make me D.O.S , but they will never HACK me."



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ