| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4728388D.7010602@gmail.com> Date: Wed, 31 Oct 2007 09:10:53 +0100 From: Nicolas RUFF <nicolas.ruff@...il.com> To: Kristian Erik Hermansen <kristian.hermansen@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Microsoft Windows default ZIP handler bug > However, I put together a Flash video showing the bug. It may not be > exploitable, but I also haven't been keeping up with the latest bad > pointer / alternate code path research stuff. Maybe someone can do > some ninjitsu code exec using this... Hello, I had a quick look with SysInternals' ProcMon. Given a B.ZIP file inside an A.ZIP file, the sequence is roughly the following: - User clicks on A.ZIP - Explorer opens A.ZIP and extracts content into a temporary "A" directory - User clicks on B.ZIP inside A.ZIP - Explorer opens B.ZIP and extracts content into a temporary "B" directory - Since A.ZIP is no longer referenced, temporary directory "A" is deleted - User clicks "back" - "A" directory not found, explorer closing I feel you'll have a hard time trying to control EIP ;) Regards, - Nicolas RUFF _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists