[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Multiple* bug's associated with Win xp default zip Manager...

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] Multiple* bug's associated with Win xp default zip Manager...
From: Bipin Gautam <door_hUNT3R@xxxxxxxxxxxxxxxxx>
Date: Wed, 10 Sep 2003 11:50:41 -0700 (PDT)

1).
---DESCRIPTION---
 Win xp default zip manager prompt's for a password, [even* when there is no 
password] if the zipped file has folder/s with more than 121 sub directories in 
it, but this situation does vary with some condition as specified below...

---Bug Demonstration---
---------------
Create a batch script (*.bat)
---------------
 :lol
 md 1
 cd 1
 goto lol
-------------
[OR, download] http://www.geocities.com/visitbipin/winxp_zip_bug.zip

 If you "execute" this batch script [*.bat] from your root, [ ie   c:\  ] 
windows can at-most create 121'th sub directory, ie \..\1\1\1\..\...[upto 
121'th sub directory,] then the batch script ends with a error messages...

 Now say if i put "md 12" instead of "md 1" to the above script, [ie two 
characters 
 Directory name instead of one"] windows can at most create... 80 sub directory!

 Again, say if i put md 12345 ->"five character directory name in the same 
way..."<- 
 windows can at most create... 39 sub directory!

 HENCE, IF you simply ZIP A FILE WITH SAY 39 SUB-DIRECTORY in it with 5 
character directory name as explained in the above demonstration [ie: md 12345 
] Win xp default zip manager prompts for a password in extraction process [copy 
the 12345.zip file to c:\windows\system32 and try extracting it there] but when 
you use a third party software, it simply ends up with an error. [as windows 
has restrictions on creating number of sub - directories which is proportional 
to the number of characters used to label a folder!]

Moreover it even prompt for password to file names that doesn't exists!

---Conclusion---
Concluding from the experiment conducted from LINUX, on a fat32/ntfs partition, 
it seems the problem isn't with the "file system itself" but it occurs due to 
the restriction of windows!

__________________________________________________________________________

2).
---Description---
Win xp default zip manager can't handle long file names properly...

---Bug Demonstration---
Create a new file with very long file name... in your c:\
 [ say:
1.111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
 ] 

[or, download]   http://www.geocities.com/visitbipin/zip_long.zip

Windows xp will easily allow you to create that file, now zip the file [ above 
mentioned ie 1.11111111111111111111* ] using winxp default zip manager, [say, 
the new file created is 1.zip]
But strangely, if you open the file [1.zip] with windows explorer [ie view it's 
content] You can neither see a file name nor its extension in the archive but 
simply its icon only!

Moreover, windows xp doesn't allow you to delete the long file created in the 
above example, through GUI mode [...have to use command prompt] and end up with 
an error Can't delete 1 : The folder is empty. [actually its a file!]
___________________________________________________________________________

3).
---Description---
A probable buffer overflow with winxp default zip manager! [zipfldr.dll]

---Demonstration---
http://www.geocities.com/visitbipin/hUNTER_.zip

Well, as win xp automatically creates a bug report of a crash, the bug is self 
explanatory.
Simply try extracting the above file using win xp default zip manager or try 
viewing the file hUNTER_..PKT YOUR EXPLORER WILL CRASH!

--[Background Information]--
These bug's were originally discovered by hUNT3R, [myself] a member of 01 
Security Sumbission. The vendor was notified via email.
---[about 01 security submission]---
01s.s is a small group having experience as security specialists, programmers 
and system administrators.
http://www.ysgnet.com/hn

_____________________________________________________________
Secure mail ---> http://www.blackcode.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] MS03-039 has been released - critical
Next by Date: [Full-Disclosure] Buffer overflow in MySQL
Previous by thread: [Full-Disclosure] New MS scanner for MS03-39
Next by thread: [Full-Disclosure] Buffer overflow in MySQL
Index(es):
- Date
- Thread