SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SpeedCommander Vendors:   SpeedProject
SpeedProject's SpeedCommander Input Validation Flaw May Let Malicious 'tar' Archives Overwrite or Create Arbitrary Files When Expanded
SecurityTracker Alert ID:  1005828
SecurityTracker URL:  http://securitytracker.com/id/1005828
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 18 2002
Impact:   Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 8.1, 9.0
Description:   An input validation vulnerability was reported in SpeedCommander. A remote user can create a malicious '.tar' archive that, when opened by the target user, may cause arbitrary files to be overwritten or created on the target user's computer.

According to the report, SpeedCommander does not securely process files in a '.tar' archive that contain certain characters in the file path. The software will write files containing '../' and '..\' directory traversal characters without warning the user. This could cause a file to be overwritten or a malicious file to be installed, subject to the target user's privileges.

It is reported that version 8.1 of the software replaces any occurrence of '../' with '___' when extracting an archived file. This is also done when displaying the contents of an archive to the target user, which could obscure the fact that the viewed archive is malicious.

It is reported that version 9.0 of the software removes any '../' characters when extracting an archived file. This is also done when displaying the contents of an archive to the target user, which could obscure the fact that the viewed archive is malicious.

The vendor has reportedly been notified.

Impact:   A remote user could create a malicious tar archive that contains files with specially crafted file path names. When the target user expands the archive, the software may write or overwrite arbitrary files in directories outside of the current directory without warning the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.speedproject.de/speedcommander/index.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Directory traversal vulnerabilities in several archivers




Subject

  Directory traversal vulnerabilities in several
archivers processing .tar
 files



Author

  Florian "sticky bit" Schafferhans
   <fs@computer-security.de>
   http://www.computer-security.de/



Date

  17. December 2002



Affected

 GNU cpio 2.5
  http://www.gnu.org/
  tested on Linux 2.2.19

 Winzip Computing WinZip 8.1
  http://www.winzip.com/
  evaluation copy tested on Windows 98 SE

 PKWARE PKZip 5.00.01
  http://www.pkzip.com/
  evaluation copy tested on Windows 98 SE

 Aladdin Systems (former Ontrack) ZipMagic 4.0
  http://www.aladdinsys.com/
  evaluation copy tested on Windows 98 SE

 Eugene Roshal's WinRAR 3.00
  http://www.rarlabs.com/
  evaluation copy tested on Windows 98 SE

 Speedproject Squeez 4.0
  http://www.speedproject.de/
  evaluation copy tested on Windows 98 SE

 Speedproject Squeez 4.1
  http://www.speedproject.de/
  evaluation copy tested on Windows 98 SE

 Speedproject SpeedCommander 8.1
  http://www.speedproject.de/
  evaluation copy tested on Windows 98 SE

 Speedproject SpeedCommander 9.0
  http://www.speedproject.de/
  evaluation copy tested on Windows 98 SE



Summary

  The .tar file format is widely used on UNIX(-like)
able to stores almost
any information, such as name, owner, mode, etc., of
several files
including their content and sum them up in one file
originally to be stored
on tapes for backups e. g.. It is also commonly used to
get a bunch of
files together and compress them afterwards with common
compression
programs such as gzip, as the .gz e. g. doesn't support
the summary of
several files, e. g. to transfer file sets through
networks with less
overhead and more comfort. Note that the .tar file
format itself doesn't
support any compression at all.
  Several programs capable of processing .tar files are
vulnerable to
directory traversals under certain circumstances. This
may result in
overwritten files, in the best case, in smuggled in
malware in the worst.



Details

  The .tar file format works in record blocks usually
of 512 bytes sizes.
for each file in the archive there is a header record
in which attributes
like the file's name, mode, size, type, the file
owner's uid, gid, uname,
gname and several other information. If necessary the
following records
store the file's content.
  Several programs do not handle the file's path,
stored in the first 100
bytes in plain ASCII and filled up with NULL-bytes if
necessary of such a
header record block carefully enough. If a path's
string contains a leading
slash ('/') most programs strip them off by default
when unpacking an
archive (even if providing to leave it e. g. if
restoring a system after a
backup this could be useful) to avoid files to be
overwritten by accident.
But they don't check and remove directory up strings
('../') but open
directly the given path, without any warning. This way
it would be possible
to place anywhere in the system, e. g. overwriting a
binary of a server
software which contains a back door to gain system
access in a further
step or just leave crap anywhere in the system it's all
up in guessing the
right
path and be lucky that  the unpacking software doesn't
show what's going
on or the user not note it properly.
  The circumstance that unpacking .tar files is often
the first action when
 installing new software and one's logged in as super
user therefore to have
 the proper privileges make things even worse.
  Note that a dot-dot-backslash ('..\') will have the
same effect on a
Windows system.

  The following gives a description how the
circumstances the affected
programs are vulnerable in detail:

   GNU cpio 2.5
     This software is fully affected.

   Winzip Computing WinZip 8.1
     When the option "Extract folder names" in the
extract dialogue is
    checked (usually one will use this, otherwise the
hole directory
    structure would be lost, resulting in an
unorganized bunch of files)
    the software behaves behaves exactly as described
above. The
    option is checked by default so also an extraction
over the
    context menu of a file linked to this software (the
menu popping
    up when right clicking a file's icon in Windows) is
an action
    affected.

   PKWARE PKZip 5.00.01
     This software is fully affected.

   Aladdin Systems (former Ontrack) ZipMagic 4.0
     This software is fully affected.

   Eugene Roshal's WinRAR 3.00
     This software is not affected in the way described
above. It just
    leaves out any '../' found in a path when
extracting .tar files.
     The only problem that remains is the display. This
program shows an
    archive's content similar like most GUIs all files
represented by icons,
    pretending the archive would be just a normal
directory.
     All folders of an archive (also the ones not
mentioned explicitly but
    resulting to the paths of contained files) are
displayed as folder
    icons. There is one special folder displayed named
'..' which will
    lead into the folder the archive lays in, then it's
possible to browse
    this folder or even the whole file system through
the software, or
    let's you get one level up if you are in a folder
of the archive.
     Unfortunately a '../' in an archives file name
header record will also
    be shown as a folder named '..' and lead exactly to
the same like
    the '..' folder of the software itself. A user so
might assume just an
    error of the software not being aware that the
archive might contain
    files not seen or even directory traversal paths.
So he might
    distribute archives which contains potential
dangers (when then
    extracted with other programs) without even having
the chance to know
    about.

   Speedproject Squeez 4.0
     This software is not affected in the way described
above. It will
    replace any '../' with a '___' when extracting .tar
files.
     Unfortunately it also replaces any '../' in the
display with a '___'.
    So users might not be aware of the circumstance
that the archives
    contains directory traversal paths and might so
distribute archives
    containing potential dangers he has no chance to
know about.

   Speedproject Squeez 4.1
     This software is not affected in the way described
above. It will
    ignore any '../' when extracting .tar files, just
leaving this part of
    the path away.
     Unfortunately it also ignores it in the display so
doesn't display a
    '../' part in a path. So users might not be aware
of the circumstance
    that the archives contains directory traversal
paths and might so
    distribute archives containing potential dangers he
has no chance to
    know about.

   Speedproject SpeedCommander 8.1
     This software is not affected in the way described
above. It will
    replace any '../' with a '___' when extracting .tar
files.
     Unfortunately it also replaces any '../' in the
display with a '___'.
    So users might not be aware of the circumstance
that the archives
    contains directory traversal paths and might so
distribute archives
    containing potential dangers he has no chance to
know about.

   Speedproject SpeedCommander 9.0
     This software is not affected in the way described
above. It will
    ignore any '../' when extracting .tar files, just
leaving this part of
    the path away.
     Unfortunately it also ignores it in the display so
doesn't display a
    '../' part in a path. So users might not be aware
of the circumstance
    that the archives contains directory traversal
paths and might so
    distribute archives containing potential dangers he
has no chance
    to know about.



Solution

   GNU cpio 2.5
     As a work-around you could use the -t or --list
switch to show the
    archive's content and check carefully for '../' or
perform something
    like cpio -t -F file.tar 2> /dev/null | grep
"\.\./" to automate it.
     I have not received any information when an update
fixing this issue
    will be available.

   Winzip Computing WinZip 8.1
     An fixing the issues update is available under
    http://www.winzip.com/wz81sr1.htm.

   PKWARE PKZip 5.00.01
     Open every archive and check paths carefully. Do
not extract out of
    the Windows context menu (right click on a file's
icon).
     I have not received any information when an update
fixing this issue
    will be available.

   Aladdin Systems (former Ontrack) ZipMagic 4.0
     Open every archive and check paths carefully. Do
not extract out of
    the Windows context menu (right click on a file's
icon).
     I have not received any information when an update
fixing this issue
    will be available.

   Eugene Roshal's WinRAR 3.00
     Be suspicious when you see the '..' folder icon
twice in an archive.
    There's already a new version released fixing this
issue,
    WinRAR 3.10 beta 3. It is available under
http://www.rarlabs.com/.

   Speedproject Squeez 4.0
     Be suspicious when you see a folder named '___' in
an archive.
     There is already an new release available under
    http://www.speedproject.de/enu/index.html, Squeez
4.1. But
    unfortunately in the new release the problems are
even worse
    (see details section).

   Speedproject Squeez 4.1
     Sorry but it seems to me like there no chance
other than change to an
    other software for now.
     I have not received any information when an update
fixing this issue
    will be available.

   Speedproject SpeedCommander 8.1
     Be suspicious when you see a folder named '___' in
an archive.
     There is already an new release available under
    http://www.speedproject.de/enu/index.html,
SpeedCommander 9.0. But
    unfortunatly in the new release the problems are
even worse
    (see details section).

   Speedproject SpeedCommander 9.0
     Sorry but it seems to me like there no chance
other than change to an
    other software for now.
     I have not received any information when an update
fixing this issue
    will be available.



Related

  Directory traversal and path globing in multiple
archivers
   http://online.securityfocus.com/archive/1/196445
  Special devices access in multiple archivers
   http://online.securityfocus.com/archive/1/196965

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC