lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <28915501A44DBA4587FE1019D675F98307C716@grfint.intern.adiscon.com>
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Subject: Special file names in ZIP Files - small issue in Windows and potentially others

I have discovered that some ZIP implementations still have issues when
special system file names are used in a malicious zip file. Two years
ago (!) I had created a small zip file containing a file "prn.txt".
Under DOS/Win, the file name PRN is system reserved. The extension is
simply ignored by the OS API. PRN is the first physically attached
printer  (something like /dev/lp under *nix, if I remember correctly).

I initially created this file while working with some email AV vendors.
In fact, 2 years ago the file could be used to create a DoS condition
with some AV products because they siliently tried to create a file with
the name stated in the ZIP file. Former testing showed that this lead to
timeouts if no printer was attached. With a printer attached, some boxes
even began printing ;). The AV vendors fixed this and I had more or less
forgotten about this file (I wasn't into full disclosure ethics at that
time).

Thanks to hUNT3R, I now remembered it. Interestingly, Windows XP and
2003 do NOT check for special file names. If you open such a ZIP file
with Windows Explorer's ZIP handler, it tries to open the file and times
out (but does NOT print if a printer is attached). I contacted Microsoft
last week and they confirmed this but also said it will not be hot-fixed
because they do not see any security issue arising out of this. They
said this after some (IMHO serious) analysis. I tend to agree. Microsoft
said it will be fixed as part of upcoming service packs.

HOWEVER, it looks like special file names are still an issue within ZIP
files. I have tested those few products I had easily at hand and - other
than in Windows - did not find any issue with them. However, I obviously
do not have access to all that may be vulnerable. I specifically tested
no *nix applications (for *nix, you obviously need to change the
filename to something like /dev/lp).

I see AV programs and specifically mailchecking applications/servers
like antispam or other content management as the primary target for such
attacks.

So it would be a good idea if somebody else would find some time to
check some of the well-known apps (especially those that have been
*ported* to Windows).

Please note that I did my testing just with PRN. In addition to that,
there are many more reserved names, like COMx, LPTx, CON and so on. IF
the application actually allows the API to overwrite a file, it could be
possible to e.g. place a dial string into a malicous ZIP file that then
would be extracted to COM1 (a probable port for a modem...). That in
turn could be misused to dial extremely expensive 900/190 (Germany)
numbers.

PoC
www.adiscon.org/download/badzip.piz

Rename this file to .zip after download. It contains one small file
"prn.txt".

Credits
Many thanks to hUNT3R who pointed out some ZIP file issues recently and
by doing so reminded me of this one.

Rainer Gerhards
Adiscon


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ