Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Multiple* bug's associated with Win xp default zip Manager...

From: Bipin Gautam <door_hUNT3R () blackcodemail com>
Date: Wed, 10 Sep 2003 11:50:41 -0700 (PDT)
1).
---DESCRIPTION---
 Win xp default zip manager prompt's for a password, [even* when there is no password] if the zipped file has folder/s 
with more than 121 sub directories in it, but this situation does vary with some condition as specified below...

---Bug Demonstration---
---------------
Create a batch script (*.bat)
---------------
 :lol
 md 1
 cd 1
 goto lol
-------------
[OR, download] http://www.geocities.com/visitbipin/winxp_zip_bug.zip

 If you "execute" this batch script [*.bat] from your root, [ ie   c:\  ] windows can at-most create 121'th sub 
directory, ie \..\1\1\1\..\...[upto 121'th sub directory,] then the batch script ends with a error messages...

 Now say if i put "md 12" instead of "md 1" to the above script, [ie two characters 
 Directory name instead of one"] windows can at most create... 80 sub directory!

 Again, say if i put md 12345 ->"five character directory name in the same way..."<- 
 windows can at most create... 39 sub directory!

 HENCE, IF you simply ZIP A FILE WITH SAY 39 SUB-DIRECTORY in it with 5 character directory name as explained in the 
above demonstration [ie: md 12345 ] Win xp default zip manager prompts for a password in extraction process [copy the 
12345.zip file to c:\windows\system32 and try extracting it there] but when you use a third party software, it simply 
ends up with an error. [as windows has restrictions on creating number of sub - directories which is proportional to 
the number of characters used to label a folder!]

Moreover it even prompt for password to file names that doesn't exists!

---Conclusion---
Concluding from the experiment conducted from LINUX, on a fat32/ntfs partition, it seems the problem isn't with the 
"file system itself" but it occurs due to the restriction of windows!

__________________________________________________________________________

2).
---Description---
Win xp default zip manager can't handle long file names properly...

---Bug Demonstration---
Create a new file with very long file name... in your c:\
 [ say:
1.111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
 ] 

[or, download]   http://www.geocities.com/visitbipin/zip_long.zip

Windows xp will easily allow you to create that file, now zip the file [ above mentioned ie 1.11111111111111111111* ] 
using winxp default zip manager, [say, the new file created is 1.zip]
But strangely, if you open the file [1.zip] with windows explorer [ie view it's content] You can neither see a file 
name nor its extension in the archive but simply its icon only!

Moreover, windows xp doesn't allow you to delete the long file created in the above example, through GUI mode [...have 
to use command prompt] and end up with an error Can't delete 1 : The folder is empty. [actually its a file!]
___________________________________________________________________________

3).
---Description---
A probable buffer overflow with winxp default zip manager! [zipfldr.dll]

---Demonstration---
http://www.geocities.com/visitbipin/hUNTER_.zip

Well, as win xp automatically creates a bug report of a crash, the bug is self explanatory.
Simply try extracting the above file using win xp default zip manager or try viewing the file hUNTER_..PKT YOUR 
EXPLORER WILL CRASH!

--[Background Information]--
These bug's were originally discovered by hUNT3R, [myself] a member of 01 Security Sumbission. The vendor was notified 
via email.
---[about 01 security submission]---
01s.s is a small group having experience as security specialists, programmers and system administrators.
http://www.ysgnet.com/hn

_____________________________________________________________
Secure mail ---> http://www.blackcode.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: