Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: General Information :: sb5886.htm

Directory traversal vulnerabilities in several archivers



18th Dec 2002 [SBWID-5886]
COMMAND

	Directory traversal vulnerabilities in several archivers

SYSTEMS AFFECTED

	 GNU cpio 2.5
	  http://www.gnu.org/
	  tested on Linux 2.2.19
	
	 Winzip Computing WinZip 8.1
	  http://www.winzip.com/
	  evaluation copy tested on Windows 98 SE
	
	 PKWARE PKZip 5.00.01
	  http://www.pkzip.com/
	  evaluation copy tested on Windows 98 SE
	
	 Aladdin Systems (former Ontrack) ZipMagic 4.0
	  http://www.aladdinsys.com/
	  evaluation copy tested on Windows 98 SE
	
	 Eugene Roshal's WinRAR 3.00
	  http://www.rarlabs.com/
	  evaluation copy tested on Windows 98 SE
	
	 Speedproject Squeez 4.0
	  http://www.speedproject.de/
	  evaluation copy tested on Windows 98 SE
	
	 Speedproject Squeez 4.1
	  http://www.speedproject.de/
	  evaluation copy tested on Windows 98 SE
	
	 Speedproject SpeedCommander 8.1
	  http://www.speedproject.de/
	  evaluation copy tested on Windows 98 SE
	
	 Speedproject SpeedCommander 9.0
	  http://www.speedproject.de/
	  evaluation copy tested on Windows 98 SE

PROBLEM

	Florian    "sticky    bit"    Schafferhans     [fs@computer-security.de]
	[http://www.computer-security.de/] says :
	
	The .tar file format is  widely  used  on  UNIX(-like)  able  to  stores
	almost any information, such as name,  owner,  mode,  etc.,  of  several
	files including their content and sum them up in one file originally  to
	be stored on tapes for backups e. g.. It is also commonly used to get  a
	bunch of  files  together  and  compress  them  afterwards  with  common
	compression programs such as gzip, as the .gz e. g. doesn't support  the
	summary of several files, e. g. to transfer file sets  through  networks
	with less overhead and more comfort. Note  that  the  .tar  file  format
	itself doesn't support any compression at all.
	 
	Several programs capable of processing  .tar  files  are  vulnerable  to
	directory traversals under certain circumstances.  This  may  result  in
	overwritten files, in the best case,  in  smuggled  in  malware  in  the
	worst.
	
	
	 Details
	 =======
	
	The .tar file format works in record blocks usually of 512 bytes  sizes.
	for each file  in  the  archive  there  is  a  header  record  in  which
	attributes like the file's name, mode,  size,  type,  the  file  owner's
	uid, gid, uname, gname and several other information. If  necessary  the
	following records store the file's content.
	
	Several programs do not handle the file's path, stored in the first  100
	bytes in plain ASCII and filled up with NULL-bytes if necessary of  such
	a header record block carefully enough. If a path's  string  contains  a
	leading slash ('/')  most  programs  strip  them  off  by  default  when
	unpacking an archive (even if providing to leave it e. g.  if  restoring
	a system after a backup this could be  useful)  to  avoid  files  to  be
	overwritten by accident. But they don't check and  remove  directory  up
	strings ('../') but open directly the given path, without  any  warning.
	This way it would be possible to place anywhere in  the  system,  e.  g.
	overwriting a binary of a server software which contains a back door  to
	gain system access in a further step or just leave crap anywhere in  the
	system it's all up in guessing the right path  and  be  lucky  that  the
	unpacking software doesn't show what's going on or the user not note  it
	properly.
	
	The circumstance that unpacking .tar files is  often  the  first  action
	when  installing  new  software  and  one's  logged  in  as  super  user
	therefore to have the proper privileges make things even worse.
	
	Note that a dot-dot-backslash ('..\') will have the  same  effect  on  a
	Windows system.
	
	The following gives a description how  the  circumstances  the  affected
	programs are vulnerable in detail:
	 
	   GNU cpio 2.5
	
	     This software is fully affected.
	 
	   Winzip Computing WinZip 8.1
	
	     When the option "Extract folder names" in the extract dialogue is
	    checked (usually one will use this, otherwise the hole directory
	    structure would be lost, resulting in an unorganized bunch of files)
	    the software behaves behaves exactly as described above. The
	    option is checked by default so also an extraction over the
	    context menu of a file linked to this software (the menu popping
	    up when right clicking a file's icon in Windows) is an action
	    affected.
	 
	   PKWARE PKZip 5.00.01
	
	     This software is fully affected.
	 
	   Aladdin Systems (former Ontrack) ZipMagic 4.0
	
	     This software is fully affected.
	 
	   Eugene Roshal's WinRAR 3.00
	
	     This software is not affected in the way described above. It just
	    leaves out any '../' found in a path when extracting .tar files.
	    The only problem that remains is the display. This program shows an
	    archive's content similar like most GUIs all files represented by icons,
	    pretending the archive would be just a normal directory.
	    All folders of an archive (also the ones not mentioned explicitly but
	    resulting to the paths of contained files) are displayed as folder
	    icons. There is one special folder displayed named '..' which will
	    lead into the folder the archive lays in, then it's possible to browse
	    this folder or even the whole file system through the software, or
	    let's you get one level up if you are in a folder of the archive.
	    Unfortunately a '../' in an archives file name header record will also
	    be shown as a folder named '..' and lead exactly to the same like
	    the '..' folder of the software itself. A user so might assume just an
	    error of the software not being aware that the archive might contain
	    files not seen or even directory traversal paths. So he might
	    distribute archives which contains potential dangers (when then
	    extracted with other programs) without even having the chance to know
	    about.
	 
	   Speedproject Squeez 4.0
	
	     This software is not affected in the way described above. It will
	    replace any '../' with a '___' when extracting .tar files.
	    Unfortunately it also replaces any '../' in the display with a '___'.
	    So users might not be aware of the circumstance that the archives
	    contains directory traversal paths and might so distribute archives
	    containing potential dangers he has no chance to know about.
	 
	   Speedproject Squeez 4.1
	
	     This software is not affected in the way described above. It will
	    ignore any '../' when extracting .tar files, just leaving this part of
	    the path away. Unfortunately it also ignores it in the display so 
	    doesn't display a '../' part in a path. So users might not be aware of 
	    the circumstance that the archives contains directory traversal paths and 
	    might so distribute archives containing potential dangers he has no chance
	    to know about.
	 
	   Speedproject SpeedCommander 8.1
	
	     This software is not affected in the way described above. It will
	    replace any '../' with a '___' when extracting .tar files.
	    Unfortunately it also replaces any '../' in the display with a '___'.
	    So users might not be aware of the circumstance that the archives
	    contains directory traversal paths and might so distribute archives
	    containing potential dangers he has no chance to know about.
	 
	   Speedproject SpeedCommander 9.0
	
	     This software is not affected in the way described above. It will
	    ignore any '../' when extracting .tar files, just leaving this part of
	    the path away. Unfortunately it also ignores it in the display so
	    doesn't display a '../' part in a path. So users might not be aware
	    of the circumstance that the archives contains directory traversal
	    paths and might so distribute archives containing potential dangers he
	    has no chance to know about.
	

SOLUTION

	 GNU cpio 2.5
	
	As a work-around you could use the -t  or  --list  switch  to  show  the
	archive's content and check carefully for '../' or perform something
	
	    like cpio -t -F file.tar 2> /dev/null | grep "\.\./" to automate it.
	
	I have not received any information when an  update  fixing  this  issue
	will be available.
	
	   Winzip Computing WinZip 8.1
	 
	An fixing the issues update is available under
	
	    http://www.winzip.com/wz81sr1.htm.
	
	   PKWARE PKZip 5.00.01
	
	Open every archive and check paths carefully. Do not extract out of  the
	Windows context menu  (right  click  on  a  file's  icon).  I  have  not
	received any information when  an  update  fixing  this  issue  will  be
	available.
	
	   Aladdin Systems (former Ontrack) ZipMagic 4.0
	
	Open every archive and check paths carefully. Do not extract out of  the
	Windows context menu  (right  click  on  a  file's  icon).  I  have  not
	received any information when  an  update  fixing  this  issue  will  be
	available.
	
	   Eugene Roshal's WinRAR 3.00
	 
	Be suspicious when you see the '..' folder icon  twice  in  an  archive.
	There's already a new version released fixing this  issue,  WinRAR  3.10
	beta 3. It is available under
	
	    http://www.rarlabs.com/.
	
	   Speedproject Squeez 4.0
	
	Be suspicious when you see a folder named '___' in an archive. There  is
	already an new release available under
	
	    http://www.speedproject.de/enu/index.html, 
	
	Squeez 4.1. But unfortunately in the new release the problems  are  even
	worse (see details section).
	
	   Speedproject Squeez 4.1
	
	Sorry but it seems to me like there no chance other than  change  to  an
	other software for now. I have not  received  any  information  when  an
	update fixing this issue will be available.
	
	   Speedproject SpeedCommander 8.1
	
	Be suspicious when you see a folder named '___' in an archive. There  is
	already an new release available under
	
	    http://www.speedproject.de/enu/index.html,
	
	SpeedCommander 9.0. But unfortunatly in the  new  release  the  problems
	are even worse (see details section).
	
	   Speedproject SpeedCommander 9.0
	
	Sorry but it seems to me like there no chance other than  change  to  an
	other software for now. I have not  received  any  information  when  an
	update fixing this issue will be available.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH