This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

SECURITY.NNOV: directory traversal in multiple archivers




FYE: both cygwin ports of tar and unzip are vulnerable.

-=-=-=-=-=-=-=-=-=-

Hello,

Topic:                    Directory traversal in multiple archivers
Author:                   3APA3A <3APA3A@security.nnov.ru>
Affected Software:        GNU tar <= 1.13.19, Info-Zip UnZip <= 5.42,
                          RARSoft rar <= 2.02, PKWare pkzipc <= 4.00
Not affected:             rar 2.80, WinZIP 8.0
Risk:                     low/average
Released:                 July, 2, 2001
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories


Background:

Archive extraction is usually treated by uses as safe operation. There
are  a  lot  of problem with files extraction though.

Problem(s):

Among  them:  huge  files with high compression ratio are able to fill
memory/disk  (see  "Antivirus scanner DoS with zip archives" thread on
Vuln-Dev),  special device names and special characters in file names,
directory  traversal  (dot-dot  bug). Probably, directory traversal is
most  dangerous  among  this  bugs, because it allows to craft archive
which  will  trojan  system  on  extraction. This problem is known for
software  developers,  and  newer  archivers usually have some kind of
protection.  But  in  some  cases  this  protection is weak and can be
bypassed  though. I did very quick (approx. 30 minutes, so may be I've
missed  something)  researches  on  few popular archivers. Results are
below.


Detailed info:

GNU tar (all platforms):

 tar   below  1.13.19  including  latest  releases  has  no  any  ".."
 protection.  Tar  development team was contacted. The replied they're
 aware  of  problem and current development version 1.13.19 implements
 some  kind  of protection. Protection is far from being ideal and can
 be  bypassed.  Exploitation  scenario  was passed back to development
 team. I hope it will work then 1.13.19 will be finally released. But:
 Status of path unknown.

Info-Zip's UnZip (all platforms):

 all versions have no protection. No reply from vendor.

PKWare's PKZip (Windows):

 console  version was tested. It's vulnerable, if archive is extracted
 with  -rec (recursive) option. If this option is not given archive is
 extracted without directory structure. All versions up to latest 4.00
 are  vulnerable.  Program  is shareware, no sources available. Vendor
 contacted, still in work. Status of patch unknown.

RARsoft (Eugene Roshal's) RAR (all platforms):

 Directory  traversal  protection  was  implemented  in rar 2.02. This
 protection  can  be bypassed. Eugene Roshal was contacted and replied
 latest  version of rar (2.80) is absolutely safe. It's true, but 2.02
 is latest available version in most Unix ports (2.80 is available for
 Windows  and Linux, you can use Linux version if your system supports
 Linux  emulation). Program is shareware, no sources available. Status
 of patch unknown.

WinZip (Windows):

 Behavior  is  close  to  ideal. Console version doesn't extract files
 with  ".."  until  special  switch  is not selected, windowed version
 warns user on ".." about possible impacts of such extraction.

Exploitation:

 Under Windows exploitation is trivial. On most unix system you should
 guess  level  of directory file will be extracted to. tar and rar are
 able  to  create files with permission different from umask, it makes
 it  possible  to create executables. Only tar overwrites target files
 without prompt by default.

 attached files create test.txt level higher than specified by user.

 tar < 1.13.19 :  tar -xf test.tar
 tar <= 1.13.19:  tar -xf test2.tar
 pkzipc <= 4.00:  pkzipc -extr -rec test.zip
 UnZip <= 5.42 :  unzip test.zip
 rar <= 2.02   :  rar x test.rar

Workaround:

 List  content  of  archive  before extraction if archive was obtained
 from untrusted source. Never automate archive extraction, or use jail
 if  you  need automation. Be sure never run extraction from user with
 elevated privileges.

Solution:

 Wait for vendor patch or use checked archivers.


-- 
http://www.security.nnov.ru
         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

test.rar

test.tar

test.zip

test1.zip

test2.tar

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]