PDA

Bekijk Volledige Versie : Directory traversal vulnerabilities in several archivers



Florian Schafferhans
17/12/02, 22:41
Subject

Directory traversal vulnerabilities in several
archivers processing .tar
files



Author

Florian "sticky bit" Schafferhans
<fs@computer-security.de>
http://www.computer-security.de/



Date

17. December 2002



Affected

GNU cpio 2.5
http://www.gnu.org/
tested on Linux 2.2.19

Winzip Computing WinZip 8.1
http://www.winzip.com/
evaluation copy tested on Windows 98 SE

PKWARE PKZip 5.00.01
http://www.pkzip.com/
evaluation copy tested on Windows 98 SE

Aladdin Systems (former Ontrack) ZipMagic 4.0
http://www.aladdinsys.com/
evaluation copy tested on Windows 98 SE

Eugene Roshal's WinRAR 3.00
http://www.rarlabs.com/
evaluation copy tested on Windows 98 SE

Speedproject Squeez 4.0
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE

Speedproject Squeez 4.1
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE

Speedproject SpeedCommander 8.1
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE

Speedproject SpeedCommander 9.0
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE



Summary

The .tar file format is widely used on UNIX(-like)
able to stores almost
any information, such as name, owner, mode, etc., of
several files
including their content and sum them up in one file
originally to be stored
on tapes for backups e. g.. It is also commonly used to
get a bunch of
files together and compress them afterwards with common
compression
programs such as gzip, as the .gz e. g. doesn't support
the summary of
several files, e. g. to transfer file sets through
networks with less
overhead and more comfort. Note that the .tar file
format itself doesn't
support any compression at all.
Several programs capable of processing .tar files are
vulnerable to
directory traversals under certain circumstances. This
may result in
overwritten files, in the best case, in smuggled in
malware in the worst.



Details

The .tar file format works in record blocks usually
of 512 bytes sizes.
for each file in the archive there is a header record
in which attributes
like the file's name, mode, size, type, the file
owner's uid, gid, uname,
gname and several other information. If necessary the
following records
store the file's content.
Several programs do not handle the file's path,
stored in the first 100
bytes in plain ASCII and filled up with NULL-bytes if
necessary of such a
header record block carefully enough. If a path's
string contains a leading
slash ('/') most programs strip them off by default
when unpacking an
archive (even if providing to leave it e. g. if
restoring a system after a
backup this could be useful) to avoid files to be
overwritten by accident.
But they don't check and remove directory up strings
('../') but open
directly the given path, without any warning. This way
it would be possible
to place anywhere in the system, e. g. overwriting a
binary of a server
software which contains a back door to gain system
access in a further
step or just leave crap anywhere in the system it's all
up in guessing the
right
path and be lucky that the unpacking software doesn't
show what's going
on or the user not note it properly.
The circumstance that unpacking .tar files is often
the first action when
installing new software and one's logged in as super
user therefore to have
the proper privileges make things even worse.
Note that a dot-dot-backslash ('..\') will have the
same effect on a
Windows system.

The following gives a description how the
circumstances the affected
programs are vulnerable in detail:

GNU cpio 2.5
This software is fully affected.

Winzip Computing WinZip 8.1
When the option "Extract folder names" in the
extract dialogue is
checked (usually one will use this, otherwise the
hole directory
structure would be lost, resulting in an
unorganized bunch of files)
the software behaves behaves exactly as described
above. The
option is checked by default so also an extraction
over the
context menu of a file linked to this software (the
menu popping
up when right clicking a file's icon in Windows) is
an action
affected.

PKWARE PKZip 5.00.01
This software is fully affected.

Aladdin Systems (former Ontrack) ZipMagic 4.0
This software is fully affected.

Eugene Roshal's WinRAR 3.00
This software is not affected in the way described
above. It just
leaves out any '../' found in a path when
extracting .tar files.
The only problem that remains is the display. This
program shows an
archive's content similar like most GUIs all files
represented by icons,
pretending the archive would be just a normal
directory.
All folders of an archive (also the ones not
mentioned explicitly but
resulting to the paths of contained files) are
displayed as folder
icons. There is one special folder displayed named
'..' which will
lead into the folder the archive lays in, then it's
possible to browse
this folder or even the whole file system through
the software, or
let's you get one level up if you are in a folder
of the archive.
Unfortunately a '../' in an archives file name
header record will also
be shown as a folder named '..' and lead exactly to
the same like
the '..' folder of the software itself. A user so
might assume just an
error of the software not being aware that the
archive might contain
files not seen or even directory traversal paths.
So he might
distribute archives which contains potential
dangers (when then
extracted with other programs) without even having
the chance to know
about.

Speedproject Squeez 4.0
This software is not affected in the way described
above. It will
replace any '../' with a '___' when extracting .tar
files.
Unfortunately it also replaces any '../' in the
display with a '___'.
So users might not be aware of the circumstance
that the archives
contains directory traversal paths and might so
distribute archives
containing potential dangers he has no chance to
know about.

Speedproject Squeez 4.1
This software is not affected in the way described
above. It will
ignore any '../' when extracting .tar files, just
leaving this part of
the path away.
Unfortunately it also ignores it in the display so
doesn't display a
'../' part in a path. So users might not be aware
of the circumstance
that the archives contains directory traversal
paths and might so
distribute archives containing potential dangers he
has no chance to
know about.

Speedproject SpeedCommander 8.1
This software is not affected in the way described
above. It will
replace any '../' with a '___' when extracting .tar
files.
Unfortunately it also replaces any '../' in the
display with a '___'.
So users might not be aware of the circumstance
that the archives
contains directory traversal paths and might so
distribute archives
containing potential dangers he has no chance to
know about.

Speedproject SpeedCommander 9.0
This software is not affected in the way described
above. It will
ignore any '../' when extracting .tar files, just
leaving this part of
the path away.
Unfortunately it also ignores it in the display so
doesn't display a
'../' part in a path. So users might not be aware
of the circumstance
that the archives contains directory traversal
paths and might so
distribute archives containing potential dangers he
has no chance
to know about.



Solution

GNU cpio 2.5
As a work-around you could use the -t or --list
switch to show the
archive's content and check carefully for '../' or
perform something
like cpio -t -F file.tar 2> /dev/null | grep
"\.\./" to automate it.
I have not received any information when an update
fixing this issue
will be available.

Winzip Computing WinZip 8.1
An fixing the issues update is available under
http://www.winzip.com/wz81sr1.htm.

PKWARE PKZip 5.00.01
Open every archive and check paths carefully. Do
not extract out of
the Windows context menu (right click on a file's
icon).
I have not received any information when an update
fixing this issue
will be available.

Aladdin Systems (former Ontrack) ZipMagic 4.0
Open every archive and check paths carefully. Do
not extract out of
the Windows context menu (right click on a file's
icon).
I have not received any information when an update
fixing this issue
will be available.

Eugene Roshal's WinRAR 3.00
Be suspicious when you see the '..' folder icon
twice in an archive.
There's already a new version released fixing this
issue,
WinRAR 3.10 beta 3. It is available under
http://www.rarlabs.com/.

Speedproject Squeez 4.0
Be suspicious when you see a folder named '___' in
an archive.
There is already an new release available under
http://www.speedproject.de/enu/index.html, Squeez
4.1. But
unfortunately in the new release the problems are
even worse
(see details section).

Speedproject Squeez 4.1
Sorry but it seems to me like there no chance
other than change to an
other software for now.
I have not received any information when an update
fixing this issue
will be available.

Speedproject SpeedCommander 8.1
Be suspicious when you see a folder named '___' in
an archive.
There is already an new release available under
http://www.speedproject.de/enu/index.html,
SpeedCommander 9.0. But
unfortunatly in the new release the problems are
even worse
(see details section).

Speedproject SpeedCommander 9.0
Sorry but it seems to me like there no chance
other than change to an
other software for now.
I have not received any information when an update
fixing this issue
will be available.



Related

Directory traversal and path globing in multiple
archivers
http://online.securityfocus.com/archive/1/196445
Special devices access in multiple archivers
http://online.securityfocus.com/archive/1/196965

konto mailingowe
21/12/02, 01:14
W li¶cie z ¶ro, 18-12-2002, godz. 06:18, Andrew Kopp pisze:
> I don't really think this falls into vulnerability because most software
> will prompt you before it overwrites any file by default. And if anyone
> would actually allow their own SSHd binary to be over written deserves
> to be hacked.

and what about adding files in some specific dirs? e.g. /etc/rc.boot in
debian (i mean run-parts)

>
> And to those who extract an un-trusted archive and set the "don't prompt
> me" flag, you really need a lesson in 'basic' (very obvious too!)
> security practices.
>
> No pun intended.
>
>
>
> Regards,
>
>
> drewk~
>
>
>
> -----Original Message-----
> From: Florian Schafferhans [mailto:fs@computer-security.de]
> Sent: Monday, December 16, 2002 6:41 PM
> To: bugtraq@securityfocus.com
> Subject: Directory traversal vulnerabilities in several archivers
> processing .tar
>
>
>
> Subject
>
> Directory traversal vulnerabilities in several
> archivers processing .tar
> files
>
>
> [ email... blah blah blah blah ]
>
>
>
>