SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   UnZip Vendors:   Info-ZIP
UnZip Utility May Let Malicious Zip Files Install Trojan Files on the Host in Other Directories When a Local User Extracts the Zipped Archive
SecurityTracker Alert ID:  1001995
SecurityTracker URL:  http://securitytracker.com/id/1001995
CVE Reference:   CVE-2001-1268, CVE-2001-1269   (Links to External Site)
Updated:  Dec 15 2003
Original Entry Date:  Jul 13 2001
Impact:   Modification of system information, Modification of user information

Version(s): up to an including 5.42
Description:   A vulnerability has been reported in Info-ZIP's UnZip utility that may result in trojan files being installed when a zipped archive is extracted by a local user.

The UnZip archive extraction utility does not provide protection against path names that include ".." directory traversal characters [CVE: CVE-2001-1268] or against absolute path names [CVE: CVE-2001-1269]. If a local user extracts a malicious archive, it is possible that trojan files could be installed if the user has sufficient permissions to install files.

The vendor has reporteldy been notified.

Impact:   Trojan files may be installed when a zipped archive is extracted by a local user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.info-zip.org/pub/infozip/Info-ZIP.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  BeOS, Linux (Any), Apple (Legacy "classic" Mac), UNIX (Any), Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Red Hat Issues Fix) UnZip Utility May Let Malicious Zip Files Install Trojan Files on the Host in Other Directories When a Local User Extracts the Zipped Archive
Red Hat has released a fix.



 Source Message Contents

Subject:  SECURITY.NNOV: directory traversal and path globing in multiple archivers


------------8815A144FA467F
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hello,

Topic:                    Directory traversal and path globing in
                          multiple archivers
Author:                   3APA3A <3APA3A@security.nnov.ru>
Affected Software:        GNU tar <= 1.13.19, Info-Zip UnZip <= 5.42,
                          RARSoft rar <= 2.02, PKWare pkzipc <= 4.00
Not affected:             rar 2.80, WinZIP 8.0
Risk:                     average
Released:                 July, 2, 2001
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories


Background:

Archive  extraction  is  usually treated by users as a safe operation.
There are few problems with files extraction though.

Problem(s):

Among  them:  huge  files with high compression ratio are able to fill
memory/disk  (see  "Antivirus scanner DoS with zip archives" thread on
Vuln-Dev),  special device names and special characters in file names,
directory  traversal  (dot-dot  bug). Probably, directory traversal is
most  dangerous  among  this  bugs, because it allows to craft archive
which  will  trojan  system  on  extraction. This problem is known for
software  developers,  and  newer  archivers usually have some kind of
protection.  But  in  some  cases  this  protection is weak and can be
bypassed.  I did very quick (approx. 30 minutes, so may be I've missed
something) researches on few popular archivers. Results are below.


Detailed info:

GNU tar (all platforms):

 tar  below  1.13.19  including  latest  releases  has  no any ".." or
 absolute  path  protection.  Tar development team was contacted. They
 replied  they're  aware  of  problem  and current development version
 1.13.19  implements  some  kind of protection but it doesn't work for
 most  cases  due  to  bug in coding. Exploitation scenario was passed
 back  to  development  team. I hope it will work then 1.13.19 will be
 finally  released.  See  attached  patch (tar-1.13.19.patch). 1.13.19
 sources can be obtained from ftp://alpha.gnu.org/gnu/tar/

Info-Zip's UnZip (all platforms):

 all  versions  have neither .. nor absolute path protection. No reply
 from vendor. See attached patch (unzip-5.42.patch).

PKWare's PKZip (Windows):

 console  version was tested. It's vulnerable, if archive is extracted
 with  -rec (recursive) option. If this option is not given archive is
 extracted without directory structure. All versions up to latest 4.00
 are  vulnerable.  Program  is shareware, no sources available. Vendor
 contacted but status of patch unknown.

RARsoft (Eugene Roshal's) RAR (all platforms):

 Directory  traversal  protection  was  implemented  in rar 2.02. This
 protection  can  be bypassed. Eugene Roshal was contacted and replied
 latest  version of rar (2.80) is absolutely safe. It's true, but 2.02
 is latest available version in most Unix ports (2.80 is available for
 Windows  and Linux, you can use Linux version if your system supports
 Linux emulation). Program is shareware, no sources available.

WinZip (Windows):

 Behavior  is  close  to  ideal. Console version doesn't extract files
 with  ".."  until  special  switch  is not selected, windowed version
 warns user on ".." about possible impacts of such extraction.

Exploitation:

 Exploitation  of  path globing and directory traversal under Windows
 exploitation  is  trivial.  On  most unix system to exploit directory
 traversal  you should guess level of directory file will be extracted
 to.  tar  and  rar are able to create files with permission different
 from  umask,  it  makes  it  possible to create executables. Only tar
 overwrites target files without prompt by default.

 Demo archives can be found on
 http://www.security.nnov.ru/advisories/archdt.asp

Workaround:

 List  content  of  archive  before extraction if archive was obtained
 from  untrusted source (but have in mind that name of the file can be
 with  something  like  ../^H^H^H  -  do not trust your eyes, use some
 program).  Never automate archive extraction, or use jail if you need
 automation.  Be  sure  never  run  extraction from user with elevated
 privileges.

Solution:

 Wait  for  vendor  patch  or  use checked archivers or apply attached
 patches on your own risk.


-- 
http://www.security.nnov.ru
         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)
------------8815A144FA467F
Content-Type: application/octet-stream; name="tar-1.13.19.patch"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="tar-1.13.19.patch"

KioqIG1pc2MuYy5vcmlnCVNhdCBKYW4gMTMgMDg6NTk6MjkgMjAwMQotLS0gbWlzYy5jCU1vbiBK
dWwgIDkgMTU6NDU6MDkgMjAwMQoqKioqKioqKioqKioqKioKKioqIDIwMSwyMTcgKioqKgogIHsK
ICAgIGNoYXIgY29uc3QgKnAgPSBuYW1lICsgRklMRVNZU1RFTV9QUkVGSVhfTEVOIChuYW1lKTsK
ICAKICAgIGZvciAoOzspCiAgICAgIHsKISAgICAgICBpZiAocFswXSA9PSAnLicgJiYgcFsxXSA9
PSAnLicgJiYgKElTU0xBU0ggKHBbMl0pIHx8ICFwWzJdKSkKICAJcmV0dXJuIDE7CiAgCiAgICAg
ICAgZG8KICAJewohIAkgIGlmICghICpwKyspCiAgCSAgICByZXR1cm4gMDsKICAJfQohICAgICAg
IHdoaWxlICghIElTU0xBU0ggKCpwKSk7CiAgICAgIH0KICB9CiAgDAotLS0gMjAxLDIxOCAtLS0t
CiAgewogICAgY2hhciBjb25zdCAqcCA9IG5hbWUgKyBGSUxFU1lTVEVNX1BSRUZJWF9MRU4gKG5h
bWUpOwogIAorICAgaWYoSVNTTEFTSCAoKnApICkgcmV0dXJuIDE7CiAgICBmb3IgKDs7KQogICAg
ICB7CiEgICAgICAgaWYgKHBbMF0gPT0gJy4nICYmIHBbMV0gPT0gJy4nICAmJiAoIXBbMl0gfHwg
SVNTTEFTSCAocFsyXSkpKQogIAlyZXR1cm4gMTsKICAKICAgICAgICBkbwogIAl7CiEgCSAgaWYg
KCEgKnApCiAgCSAgICByZXR1cm4gMDsKICAJfQohICAgICAgIHdoaWxlICghIElTU0xBU0ggKCpw
KyspKTsKICAgICAgfQogIH0KICAMCg==

------------8815A144FA467F
Content-Type: application/octet-stream; name="unzip-5.42.patch"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="unzip-5.42.patch"

KioqIGV4dHJhY3Qub3JpZwlTdW4gSmFuIDE0IDAwOjQwOjIwIDIwMDEKLS0tIGV4dHJhY3QuYwlN
b24gSnVsICA5IDE0OjQ1OjQyIDIwMDEKKioqKioqKioqKioqKioqCioqKiAxNTQsMTU5ICoqKioK
LS0tIDE1NCwxNjEgLS0tLQogICNpZm5kZWYgV0lORExMCiAgICAgc3RhdGljIFpDT05TVCBjaGFy
IEZhciBSZXBsYWNlUXVlcnlbXSA9CiAgICAgICAicmVwbGFjZSAlcz8gW3ldZXMsIFtuXW8sIFtB
XWxsLCBbTl1vbmUsIFtyXWVuYW1lOiAiOworICAgIHN0YXRpYyBaQ09OU1QgY2hhciBGYXIgVHJh
dmVyc2FsV2FybmluZ1tdID0gCisgICAgICAiJXMgc2tpcHBlZCBiZWNhdXNlIG9mIGRpcmVjdG9y
eSB0cmF2ZXJzYWxcbiI7CiAgICAgc3RhdGljIFpDT05TVCBjaGFyIEZhciBBc3N1bWVOb25lW10g
PSAiIE5VTExcbihhc3N1bWluZyBbTl1vbmUpXG4iOwogICAgIHN0YXRpYyBaQ09OU1QgY2hhciBG
YXIgTmV3TmFtZVF1ZXJ5W10gPSAibmV3IG5hbWU6ICI7CiAgICAgc3RhdGljIFpDT05TVCBjaGFy
IEZhciBJbnZhbGlkUmVzcG9uc2VbXSA9ICJlcnJvcjogIGludmFsaWQgcmVzcG9uc2UgWyVjXVxu
IjsKKioqKioqKioqKioqKioqCioqKiA4NzcsODgyICoqKioKLS0tIDg3OSw4OTMgLS0tLQogICAg
ICAgICAgICAgICAgICAgICAgfSAvKiBlbmQgc3dpdGNoICgqYW5zd2VyYnVmKSAqLwogICNlbmRp
ZiAvKiA/V0lORExMICovCiAgICAgICAgICAgICAgICAgIH0gLyogZW5kIGlmIChxdWVyeSkgKi8K
KyAJCWlmKCpfX0dfXyBHLmZpbGVuYW1lPT0nLycgfHwgIXN0cm5jbXAoX19HX18gRy5maWxlbmFt
ZSwgIi4uLyIsIDMpCisgCQkgICAgfHwgc3Ryc3RyKF9fR19fIEcuZmlsZW5hbWUsIi8uLi8iKSl7
CisgICAgICAgICAgICAgICAgICAgICAgICAgc2tpcF9lbnRyeSA9IFNLSVBfWV9FWElTVElORzsK
KyAjaWZuZGVmIFdJTkRMTAorICAgICAgICAgICAgICAgICAgICAgSW5mbyhzbGlkZSwgMHg4MSwg
KChjaGFyICopc2xpZGUsCisgICAgICAgICAgICAgICAgICAgICAgIExvYWRGYXJTdHJpbmcoVHJh
dmVyc2FsV2FybmluZyksCisgICAgICAgICAgICAgICAgICAgICAgIEZuRmlsdGVyMShHLmZpbGVu
YW1lKSkpOworICNlbmRpZgorIAkJfQogICAgICAgICAgICAgICAgICBpZiAoc2tpcF9lbnRyeSAh
PSBTS0lQX05PKSB7CiAgI2lmZGVmIFdJTkRMTAogICAgICAgICAgICAgICAgICAgICAgaWYgKHNr
aXBfZW50cnkgPT0gU0tJUF9ZX0VYSVNUSU5HKSB7Cg==

------------8815A144FA467F--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC