Hello,

Topic: Directory traversal and path globing in
                          multiple archivers
Author: 3APA3A <3APA3Asecurity.nnov.ru>
Affected Software: GNU tar <= 1.13.19, Info-Zip UnZip <= 5.42,
                          RARSoft rar <= 2.02, PKWare pkzipc <= 4.00
Not affected: rar 2.80, WinZIP 8.0
Risk: average
Released: July, 2, 2001
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories

Background:

Archive extraction is usually treated by users as a safe operation.
There are few problems with files extraction though.

Problem(s):

Among them: huge files with high compression ratio are able to fill
memory/disk (see "Antivirus scanner DoS with zip archives" thread on
Vuln-Dev), special device names and special characters in file names,
directory traversal (dot-dot bug). Probably, directory traversal is
most dangerous among this bugs, because it allows to craft archive
which will trojan system on extraction. This problem is known for
software developers, and newer archivers usually have some kind of
protection. But in some cases this protection is weak and can be
bypassed. I did very quick (approx. 30 minutes, so may be I've missed
something) researches on few popular archivers. Results are below.

Detailed info:

GNU tar (all platforms):

 tar below 1.13.19 including latest releases has no any ".." or
 absolute path protection. Tar development team was contacted. They
 replied they're aware of problem and current development version
 1.13.19 implements some kind of protection but it doesn't work for
 most cases due to bug in coding. Exploitation scenario was passed
 back to development team. I hope it will work then 1.13.19 will be
 finally released. See attached patch (tar-1.13.19.patch). 1.13.19
 sources can be obtained from ftp://alpha.gnu.org/gnu/tar/

Info-Zip's UnZip (all platforms):

 all versions have neither .. nor absolute path protection. No reply
 from vendor. See attached patch (unzip-5.42.patch).

PKWare's PKZip (Windows):

 console version was tested. It's vulnerable, if archive is extracted
 with -rec (recursive) option. If this option is not given archive is
 extracted without directory structure. All versions up to latest 4.00
 are vulnerable. Program is shareware, no sources available. Vendor
 contacted but status of patch unknown.

RARsoft (Eugene Roshal's) RAR (all platforms):

 Directory traversal protection was implemented in rar 2.02. This
 protection can be bypassed. Eugene Roshal was contacted and replied
 latest version of rar (2.80) is absolutely safe. It's true, but 2.02
 is latest available version in most Unix ports (2.80 is available for
 Windows and Linux, you can use Linux version if your system supports
 Linux emulation). Program is shareware, no sources available.

WinZip (Windows):

 Behavior is close to ideal. Console version doesn't extract files
 with ".." until special switch is not selected, windowed version
 warns user on ".." about possible impacts of such extraction.

Exploitation:

 Exploitation of path globing and directory traversal under Windows
 exploitation is trivial. On most unix system to exploit directory
 traversal you should guess level of directory file will be extracted
 to. tar and rar are able to create files with permission different
 from umask, it makes it possible to create executables. Only tar
 overwrites target files without prompt by default.

 Demo archives can be found on
 http://www.security.nnov.ru/advisories/archdt.asp

Workaround:

 List content of archive before extraction if archive was obtained
 from untrusted source (but have in mind that name of the file can be
 with something like ../^H^H^H - do not trust your eyes, use some
 program). Never automate archive extraction, or use jail if you need
 automation. Be sure never run extraction from user with elevated
 privileges.

Solution:

 Wait for vendor patch or use checked archivers or apply attached
 patches on your own risk.

-- 
http://www.security.nnov.ru
         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

• application/octet-stream attachment: tar-1.13.19.patch

• application/octet-stream attachment: unzip-5.42.patch

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]