Full Disclosure mailing list archives
Re: Microsoft Windows default ZIP handler bug
From: Nicolas RUFF <nicolas.ruff () gmail com>
Date: Wed, 31 Oct 2007 09:10:53 +0100
However, I put together a Flash video showing the bug. It may not be exploitable, but I also haven't been keeping up with the latest bad pointer / alternate code path research stuff. Maybe someone can do some ninjitsu code exec using this...
Hello,
I had a quick look with SysInternals' ProcMon.
Given a B.ZIP file inside an A.ZIP file, the sequence is roughly the
following:
- User clicks on A.ZIP
- Explorer opens A.ZIP and extracts content into a temporary "A" directory
- User clicks on B.ZIP inside A.ZIP
- Explorer opens B.ZIP and extracts content into a temporary "B" directory
- Since A.ZIP is no longer referenced, temporary directory "A" is deleted
- User clicks "back"
- "A" directory not found, explorer closing
I feel you'll have a hard time trying to control EIP ;)
Regards,
- Nicolas RUFF
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Windows default ZIP handler bug Kristian Erik Hermansen (Oct 15)
- Re: Microsoft Windows default ZIP handler bug 3APA3A (Oct 15)
- Re: Microsoft Windows default ZIP handler bug Kristian Erik Hermansen (Oct 15)
- Re: Microsoft Windows default ZIP handler bug naveed (Oct 15)
- Re: Microsoft Windows default ZIP handler bug Nicolas RUFF (Oct 31)
- Re: Microsoft Windows default ZIP handler bug 3APA3A (Oct 15)