• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

PKWare PKZip Hostile Destination Path Vulnerability

PKWare PKZip is prone to a vulnerability in the handling of pathnames for archived files.

By specifying a path for an archived item which points outside the expected directory scope, the creator of the archive can cause the file to be extracted to arbitrary locations on the filesystem - including paths containing system binaries and other sensitive or confidential information.

This can be used to create or overwrite binaries in any desired location. Properly exploited, this grants the archive creator an elevation of privileges.

This issue is reported to exist in the console version of the software (pkzipc) and occurs when the recursive (-rec) command line option is specified during decompression.