[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] Microsoft Windows default ZIP handler bug
From:       Nicolas RUFF <nicolas.ruff () gmail ! com>
Date:       2007-10-31 8:10:53
Message-ID: 4728388D.7010602 () gmail ! com
[Download RAW message or body]

> However, I put together a Flash video showing the bug.  It may not be
> exploitable, but I also haven't been keeping up with the latest bad
> pointer / alternate code path research stuff.  Maybe someone can do
> some ninjitsu code exec using this...
	
	Hello,

I had a quick look with SysInternals' ProcMon.

Given a B.ZIP file inside an A.ZIP file, the sequence is roughly the
following:

- User clicks on A.ZIP
- Explorer opens A.ZIP and extracts content into a temporary "A" directory
- User clicks on B.ZIP inside A.ZIP
- Explorer opens B.ZIP and extracts content into a temporary "B" directory
- Since A.ZIP is no longer referenced, temporary directory "A" is deleted
- User clicks "back"
- "A" directory not found, explorer closing

I feel you'll have a hard time trying to control EIP ;)

Regards,
- Nicolas RUFF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]