Full Disclosure mailing list archives
Special file names in ZIP Files - small issue in Windows and potentially others
From: "Rainer Gerhards" <rgerhards () hq adiscon com>
Date: Mon, 15 Sep 2003 10:50:08 +0200
I have discovered that some ZIP implementations still have issues when special system file names are used in a malicious zip file. Two years ago (!) I had created a small zip file containing a file "prn.txt". Under DOS/Win, the file name PRN is system reserved. The extension is simply ignored by the OS API. PRN is the first physically attached printer (something like /dev/lp under *nix, if I remember correctly). I initially created this file while working with some email AV vendors. In fact, 2 years ago the file could be used to create a DoS condition with some AV products because they siliently tried to create a file with the name stated in the ZIP file. Former testing showed that this lead to timeouts if no printer was attached. With a printer attached, some boxes even began printing ;). The AV vendors fixed this and I had more or less forgotten about this file (I wasn't into full disclosure ethics at that time). Thanks to hUNT3R, I now remembered it. Interestingly, Windows XP and 2003 do NOT check for special file names. If you open such a ZIP file with Windows Explorer's ZIP handler, it tries to open the file and times out (but does NOT print if a printer is attached). I contacted Microsoft last week and they confirmed this but also said it will not be hot-fixed because they do not see any security issue arising out of this. They said this after some (IMHO serious) analysis. I tend to agree. Microsoft said it will be fixed as part of upcoming service packs. HOWEVER, it looks like special file names are still an issue within ZIP files. I have tested those few products I had easily at hand and - other than in Windows - did not find any issue with them. However, I obviously do not have access to all that may be vulnerable. I specifically tested no *nix applications (for *nix, you obviously need to change the filename to something like /dev/lp). I see AV programs and specifically mailchecking applications/servers like antispam or other content management as the primary target for such attacks. So it would be a good idea if somebody else would find some time to check some of the well-known apps (especially those that have been *ported* to Windows). Please note that I did my testing just with PRN. In addition to that, there are many more reserved names, like COMx, LPTx, CON and so on. IF the application actually allows the API to overwrite a file, it could be possible to e.g. place a dial string into a malicous ZIP file that then would be extracted to COM1 (a probable port for a modem...). That in turn could be misused to dial extremely expensive 900/190 (Germany) numbers. PoC www.adiscon.org/download/badzip.piz Rename this file to .zip after download. It contains one small file "prn.txt". Credits Many thanks to hUNT3R who pointed out some ZIP file issues recently and by doing so reminded me of this one. Rainer Gerhards Adiscon _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Special file names in ZIP Files - small issue in Windows and potentially others Rainer Gerhards (Sep 15)