BugTraq
Back to list
|
Post reply
Directory traversal vulnerabilities in several archivers processing .tar
Dec 16 2002 11:40PM
Florian Schafferhans (fs computer-security de)
(2 replies)
Subject
Directory traversal vulnerabilities in several
archivers processing .tar
files
Author
Florian "sticky bit" Schafferhans
<fs (at) computer-security (dot) de [email concealed]>
http://www.computer-security.de/
Date
17. December 2002
Affected
GNU cpio 2.5
http://www.gnu.org/
tested on Linux 2.2.19
Winzip Computing WinZip 8.1
http://www.winzip.com/
evaluation copy tested on Windows 98 SE
PKWARE PKZip 5.00.01
http://www.pkzip.com/
evaluation copy tested on Windows 98 SE
Aladdin Systems (former Ontrack) ZipMagic 4.0
http://www.aladdinsys.com/
evaluation copy tested on Windows 98 SE
Eugene Roshal's WinRAR 3.00
http://www.rarlabs.com/
evaluation copy tested on Windows 98 SE
Speedproject Squeez 4.0
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE
Speedproject Squeez 4.1
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE
Speedproject SpeedCommander 8.1
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE
Speedproject SpeedCommander 9.0
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE
Summary
The .tar file format is widely used on UNIX(-like)
able to stores almost
any information, such as name, owner, mode, etc., of
several files
including their content and sum them up in one file
originally to be stored
on tapes for backups e. g.. It is also commonly used to
get a bunch of
files together and compress them afterwards with common
compression
programs such as gzip, as the .gz e. g. doesn't support
the summary of
several files, e. g. to transfer file sets through
networks with less
overhead and more comfort. Note that the .tar file
format itself doesn't
support any compression at all.
Several programs capable of processing .tar files are
vulnerable to
directory traversals under certain circumstances. This
may result in
overwritten files, in the best case, in smuggled in
malware in the worst.
Details
The .tar file format works in record blocks usually
of 512 bytes sizes.
for each file in the archive there is a header record
in which attributes
like the file's name, mode, size, type, the file
owner's uid, gid, uname,
gname and several other information. If necessary the
following records
store the file's content.
Several programs do not handle the file's path,
stored in the first 100
bytes in plain ASCII and filled up with NULL-bytes if
necessary of such a
header record block carefully enough. If a path's
string contains a leading
slash ('/') most programs strip them off by default
when unpacking an
archive (even if providing to leave it e. g. if
restoring a system after a
backup this could be useful) to avoid files to be
overwritten by accident.
But they don't check and remove directory up strings
('../') but open
directly the given path, without any warning. This way
it would be possible
to place anywhere in the system, e. g. overwriting a
binary of a server
software which contains a back door to gain system
access in a further
step or just leave crap anywhere in the system it's all
up in guessing the
right
path and be lucky that the unpacking software doesn't
show what's going
on or the user not note it properly.
The circumstance that unpacking .tar files is often
the first action when
installing new software and one's logged in as super
user therefore to have
the proper privileges make things even worse.
Note that a dot-dot-backslash ('..\') will have the
same effect on a
Windows system.
The following gives a description how the
circumstances the affected
programs are vulnerable in detail:
GNU cpio 2.5
This software is fully affected.
Winzip Computing WinZip 8.1
When the option "Extract folder names" in the
extract dialogue is
checked (usually one will use this, otherwise the
hole directory
structure would be lost, resulting in an
unorganized bunch of files)
the software behaves behaves exactly as described
above. The
option is checked by default so also an extraction
over the
context menu of a file linked to this software (the
menu popping
up when right clicking a file's icon in Windows) is
an action
affected.
PKWARE PKZip 5.00.01
This software is fully affected.
Aladdin Systems (former Ontrack) ZipMagic 4.0
This software is fully affected.
Eugene Roshal's WinRAR 3.00
This software is not affected in the way described
above. It just
leaves out any '../' found in a path when
extracting .tar files.
The only problem that remains is the display. This
program shows an
archive's content similar like most GUIs all files
represented by icons,
pretending the archive would be just a normal
directory.
All folders of an archive (also the ones not
mentioned explicitly but
resulting to the paths of contained files) are
displayed as folder
icons. There is one special folder displayed named
'..' which will
lead into the folder the archive lays in, then it's
possible to browse
this folder or even the whole file system through
the software, or
let's you get one level up if you are in a folder
of the archive.
Unfortunately a '../' in an archives file name
header record will also
be shown as a folder named '..' and lead exactly to
the same like
the '..' folder of the software itself. A user so
might assume just an
error of the software not being aware that the
archive might contain
files not seen or even directory traversal paths.
So he might
distribute archives which contains potential
dangers (when then
extracted with other programs) without even having
the chance to know
about.
Speedproject Squeez 4.0
This software is not affected in the way described
above. It will
replace any '../' with a '___' when extracting .tar
files.
Unfortunately it also replaces any '../' in the
display with a '___'.
So users might not be aware of the circumstance
that the archives
contains directory traversal paths and might so
distribute archives
containing potential dangers he has no chance to
know about.
Speedproject Squeez 4.1
This software is not affected in the way described
above. It will
ignore any '../' when extracting .tar files, just
leaving this part of
the path away.
Unfortunately it also ignores it in the display so
doesn't display a
'../' part in a path. So users might not be aware
of the circumstance
that the archives contains directory traversal
paths and might so
distribute archives containing potential dangers he
has no chance to
know about.
Speedproject SpeedCommander 8.1
This software is not affected in the way described
above. It will
replace any '../' with a '___' when extracting .tar
files.
Unfortunately it also replaces any '../' in the
display with a '___'.
So users might not be aware of the circumstance
that the archives
contains directory traversal paths and might so
distribute archives
containing potential dangers he has no chance to
know about.
Speedproject SpeedCommander 9.0
This software is not affected in the way described
above. It will
ignore any '../' when extracting .tar files, just
leaving this part of
the path away.
Unfortunately it also ignores it in the display so
doesn't display a
'../' part in a path. So users might not be aware
of the circumstance
that the archives contains directory traversal
paths and might so
distribute archives containing potential dangers he
has no chance
to know about.
Solution
GNU cpio 2.5
As a work-around you could use the -t or --list
switch to show the
archive's content and check carefully for '../' or
perform something
like cpio -t -F file.tar 2> /dev/null | grep
"\.\./" to automate it.
I have not received any information when an update
fixing this issue
will be available.
Winzip Computing WinZip 8.1
An fixing the issues update is available under
http://www.winzip.com/wz81sr1.htm.
PKWARE PKZip 5.00.01
Open every archive and check paths carefully. Do
not extract out of
the Windows context menu (right click on a file's
icon).
I have not received any information when an update
fixing this issue
will be available.
Aladdin Systems (former Ontrack) ZipMagic 4.0
Open every archive and check paths carefully. Do
not extract out of
the Windows context menu (right click on a file's
icon).
I have not received any information when an update
fixing this issue
will be available.
Eugene Roshal's WinRAR 3.00
Be suspicious when you see the '..' folder icon
twice in an archive.
There's already a new version released fixing this
issue,
WinRAR 3.10 beta 3. It is available under
http://www.rarlabs.com/.
Speedproject Squeez 4.0
Be suspicious when you see a folder named '___' in
an archive.
There is already an new release available under
http://www.speedproject.de/enu/index.html, Squeez
4.1. But
unfortunately in the new release the problems are
even worse
(see details section).
Speedproject Squeez 4.1
Sorry but it seems to me like there no chance
other than change to an
other software for now.
I have not received any information when an update
fixing this issue
will be available.
Speedproject SpeedCommander 8.1
Be suspicious when you see a folder named '___' in
an archive.
There is already an new release available under
http://www.speedproject.de/enu/index.html,
SpeedCommander 9.0. But
unfortunatly in the new release the problems are
even worse
(see details section).
Speedproject SpeedCommander 9.0
Sorry but it seems to me like there no chance
other than change to an
other software for now.
I have not received any information when an update
fixing this issue
will be available.
Related
Directory traversal and path globing in multiple
archivers
http://online.securityfocus.com/archive/1/196445
Special devices access in multiple archivers
http://online.securityfocus.com/archive/1/196965
[ reply ]
RE: Directory traversal vulnerabilities in several archivers processing .tar
Dec 18 2002 05:18AM
Andrew Kopp (drewk nexed net)
(2 replies)
RE: Directory traversal vulnerabilities in several archivers processing .tar
Dec 20 2002 02:36PM
konto mailingowe (maillists black punkt pl)
Re: Directory traversal vulnerabilities in several archivers processing .tar
Dec 19 2002 07:35PM
Stephen Samuel (samuel bcgreen com)
Re: Directory traversal vulnerabilities in several archivers processing .tar
Dec 17 2002 05:54PM
der Mouse (mouse Rodents Montreal QC CA)
Privacy Statement
Copyright 2010, SecurityFocus
Subject
Directory traversal vulnerabilities in several
archivers processing .tar
files
Author
Florian "sticky bit" Schafferhans
<fs (at) computer-security (dot) de [email concealed]>
http://www.computer-security.de/
Date
17. December 2002
Affected
GNU cpio 2.5
http://www.gnu.org/
tested on Linux 2.2.19
Winzip Computing WinZip 8.1
http://www.winzip.com/
evaluation copy tested on Windows 98 SE
PKWARE PKZip 5.00.01
http://www.pkzip.com/
evaluation copy tested on Windows 98 SE
Aladdin Systems (former Ontrack) ZipMagic 4.0
http://www.aladdinsys.com/
evaluation copy tested on Windows 98 SE
Eugene Roshal's WinRAR 3.00
http://www.rarlabs.com/
evaluation copy tested on Windows 98 SE
Speedproject Squeez 4.0
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE
Speedproject Squeez 4.1
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE
Speedproject SpeedCommander 8.1
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE
Speedproject SpeedCommander 9.0
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE
Summary
The .tar file format is widely used on UNIX(-like)
able to stores almost
any information, such as name, owner, mode, etc., of
several files
including their content and sum them up in one file
originally to be stored
on tapes for backups e. g.. It is also commonly used to
get a bunch of
files together and compress them afterwards with common
compression
programs such as gzip, as the .gz e. g. doesn't support
the summary of
several files, e. g. to transfer file sets through
networks with less
overhead and more comfort. Note that the .tar file
format itself doesn't
support any compression at all.
Several programs capable of processing .tar files are
vulnerable to
directory traversals under certain circumstances. This
may result in
overwritten files, in the best case, in smuggled in
malware in the worst.
Details
The .tar file format works in record blocks usually
of 512 bytes sizes.
for each file in the archive there is a header record
in which attributes
like the file's name, mode, size, type, the file
owner's uid, gid, uname,
gname and several other information. If necessary the
following records
store the file's content.
Several programs do not handle the file's path,
stored in the first 100
bytes in plain ASCII and filled up with NULL-bytes if
necessary of such a
header record block carefully enough. If a path's
string contains a leading
slash ('/') most programs strip them off by default
when unpacking an
archive (even if providing to leave it e. g. if
restoring a system after a
backup this could be useful) to avoid files to be
overwritten by accident.
But they don't check and remove directory up strings
('../') but open
directly the given path, without any warning. This way
it would be possible
to place anywhere in the system, e. g. overwriting a
binary of a server
software which contains a back door to gain system
access in a further
step or just leave crap anywhere in the system it's all
up in guessing the
right
path and be lucky that the unpacking software doesn't
show what's going
on or the user not note it properly.
The circumstance that unpacking .tar files is often
the first action when
installing new software and one's logged in as super
user therefore to have
the proper privileges make things even worse.
Note that a dot-dot-backslash ('..\') will have the
same effect on a
Windows system.
The following gives a description how the
circumstances the affected
programs are vulnerable in detail:
GNU cpio 2.5
This software is fully affected.
Winzip Computing WinZip 8.1
When the option "Extract folder names" in the
extract dialogue is
checked (usually one will use this, otherwise the
hole directory
structure would be lost, resulting in an
unorganized bunch of files)
the software behaves behaves exactly as described
above. The
option is checked by default so also an extraction
over the
context menu of a file linked to this software (the
menu popping
up when right clicking a file's icon in Windows) is
an action
affected.
PKWARE PKZip 5.00.01
This software is fully affected.
Aladdin Systems (former Ontrack) ZipMagic 4.0
This software is fully affected.
Eugene Roshal's WinRAR 3.00
This software is not affected in the way described
above. It just
leaves out any '../' found in a path when
extracting .tar files.
The only problem that remains is the display. This
program shows an
archive's content similar like most GUIs all files
represented by icons,
pretending the archive would be just a normal
directory.
All folders of an archive (also the ones not
mentioned explicitly but
resulting to the paths of contained files) are
displayed as folder
icons. There is one special folder displayed named
'..' which will
lead into the folder the archive lays in, then it's
possible to browse
this folder or even the whole file system through
the software, or
let's you get one level up if you are in a folder
of the archive.
Unfortunately a '../' in an archives file name
header record will also
be shown as a folder named '..' and lead exactly to
the same like
the '..' folder of the software itself. A user so
might assume just an
error of the software not being aware that the
archive might contain
files not seen or even directory traversal paths.
So he might
distribute archives which contains potential
dangers (when then
extracted with other programs) without even having
the chance to know
about.
Speedproject Squeez 4.0
This software is not affected in the way described
above. It will
replace any '../' with a '___' when extracting .tar
files.
Unfortunately it also replaces any '../' in the
display with a '___'.
So users might not be aware of the circumstance
that the archives
contains directory traversal paths and might so
distribute archives
containing potential dangers he has no chance to
know about.
Speedproject Squeez 4.1
This software is not affected in the way described
above. It will
ignore any '../' when extracting .tar files, just
leaving this part of
the path away.
Unfortunately it also ignores it in the display so
doesn't display a
'../' part in a path. So users might not be aware
of the circumstance
that the archives contains directory traversal
paths and might so
distribute archives containing potential dangers he
has no chance to
know about.
Speedproject SpeedCommander 8.1
This software is not affected in the way described
above. It will
replace any '../' with a '___' when extracting .tar
files.
Unfortunately it also replaces any '../' in the
display with a '___'.
So users might not be aware of the circumstance
that the archives
contains directory traversal paths and might so
distribute archives
containing potential dangers he has no chance to
know about.
Speedproject SpeedCommander 9.0
This software is not affected in the way described
above. It will
ignore any '../' when extracting .tar files, just
leaving this part of
the path away.
Unfortunately it also ignores it in the display so
doesn't display a
'../' part in a path. So users might not be aware
of the circumstance
that the archives contains directory traversal
paths and might so
distribute archives containing potential dangers he
has no chance
to know about.
Solution
GNU cpio 2.5
As a work-around you could use the -t or --list
switch to show the
archive's content and check carefully for '../' or
perform something
like cpio -t -F file.tar 2> /dev/null | grep
"\.\./" to automate it.
I have not received any information when an update
fixing this issue
will be available.
Winzip Computing WinZip 8.1
An fixing the issues update is available under
http://www.winzip.com/wz81sr1.htm.
PKWARE PKZip 5.00.01
Open every archive and check paths carefully. Do
not extract out of
the Windows context menu (right click on a file's
icon).
I have not received any information when an update
fixing this issue
will be available.
Aladdin Systems (former Ontrack) ZipMagic 4.0
Open every archive and check paths carefully. Do
not extract out of
the Windows context menu (right click on a file's
icon).
I have not received any information when an update
fixing this issue
will be available.
Eugene Roshal's WinRAR 3.00
Be suspicious when you see the '..' folder icon
twice in an archive.
There's already a new version released fixing this
issue,
WinRAR 3.10 beta 3. It is available under
http://www.rarlabs.com/.
Speedproject Squeez 4.0
Be suspicious when you see a folder named '___' in
an archive.
There is already an new release available under
http://www.speedproject.de/enu/index.html, Squeez
4.1. But
unfortunately in the new release the problems are
even worse
(see details section).
Speedproject Squeez 4.1
Sorry but it seems to me like there no chance
other than change to an
other software for now.
I have not received any information when an update
fixing this issue
will be available.
Speedproject SpeedCommander 8.1
Be suspicious when you see a folder named '___' in
an archive.
There is already an new release available under
http://www.speedproject.de/enu/index.html,
SpeedCommander 9.0. But
unfortunatly in the new release the problems are
even worse
(see details section).
Speedproject SpeedCommander 9.0
Sorry but it seems to me like there no chance
other than change to an
other software for now.
I have not received any information when an update
fixing this issue
will be available.
Related
Directory traversal and path globing in multiple
archivers
http://online.securityfocus.com/archive/1/196445
Special devices access in multiple archivers
http://online.securityfocus.com/archive/1/196965
[ reply ]