BugTraq
Medium severity flaw with Ark Oct 07 2011 09:32AM
Tim Brown (timb nth-dimension org uk)
I recently discovered that the Ark archiving tool is vulnerable to directory
traversal via malformed. When attempts are made to view files within the
malformed Zip file in Ark's default view, the wrong file may be displayed due to
incorrect construction of the temporary file name. Whilst this does not allow
the wrong file to be overwritten, after closing the default view, Ark will then
attempt to delete the temporary file which could result in the deletion of
the incorrect file.

After discussions with the vendor, CVE-2011-2725 was assigned to this
vulnerability.

Tim
--
Tim Brown
<mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
<http://www.nth-dimension.org.uk/>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nth Dimension Security Advisory (NDSA20110726)
Date: 26th July 2011
Author: Tim Brown <mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: Ark 2.16 <http://utils.kde.org/projects/ark>
Vendor: KDE <http://www.kde.org/>
Risk: Medium

Summary

The Ark archiving tool is vulnerable to directory traversal via malformed
Zip files. When attempts are made to view files within the malformed Zip
file in Ark's default view, the wrong file may be displayed due to incorrect
construction of the temporary file name. Whilst this does not allow the
wrong file to be overwritten, after closing the default view, Ark will then
attempt to delete the temporary file which could result in the deletion of
the incorrect file.

After discussions with the vendor, CVE-2011-2725 was assigned to this
vulnerability.

Technical Details

Ark is vulnerable to directory traversal in the way it handles temporary
files for rendering when you click view. An archive that has been
manipulated such that it contains files in nested folders with the name
../../../whatever will be opened in the default view as
/temporary/location/../../../whatever. Moreover when the viewer is closed,
QFile::remove will be called on the incorrect location allowing an
arbitrary file to be removed. This can be reproduced using the following
steps:

$ echo pwned > $HOME/pwned
$ ls -la $HOME/pwned
$ mkdir -p ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/$HOME
$ touch ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/$HOME/pwned
$ zip -r PoC.zip ZZ
$ cat PoC.zip | sed "s/ZZ/../g" > PoC-evil.zip
$ ark PoC-evil.zip

Open the resultant compressed pwned in Ark's default view and you will see
$HOME/pwned instead. To cause this file to be deleted, simply close the view.
This can be verified by checking the existance of the non-compressed pwned
under $HOME:

$ ls -la $HOME/pwned

This is due to:

void Part::slotPreviewExtracted(KJob *job)
{
// FIXME: the error checking here isn't really working
// if there's an error or an overwrite dialog,
// the preview dialog will be launched anyway
if (!job->error()) {
const ArchiveEntry& entry =
m_model->entryForIndex(m_view->selectionModel()->currentIndex());
const QString fullName =
m_previewDir->name() + QLatin1Char( '/' ) + entry[ FileName
].toString();
ArkViewer::view(fullName, widget());
} else {
KMessageBox::error(widget(), job->errorString());
}
setReadyGui();
}

in part.cpp which differs from:

void Part::slotPreview(const QModelIndex & index)
{
if (!m_previewDir) {
m_previewDir = new KTempDir();
}

if (!isPreviewable(index)) {
return;
}

const ArchiveEntry& entry = m_model->entryForIndex(index);

if (!entry.isEmpty()) {
Kerfuffle::ExtractionOptions options;
optione[QLatin1String( "PreservePaths" )] = true;

ExtractJob *job = m_model->extractFile(entry[ InternalID ],
m_previewDir->name(), options);
registerJob(job);
connect(job, SIGNAL(result(KJob*)),
this, SLOT(slotPreviewExtracted(KJob*)));
job->start();
}
}

It appears that LibArchiveInterface::copyFiles truncates the root node
such that the leading ../../.. get dropped dring the call to the
extractFile method whereas view simply loads m_previewDir->name() +
QLatin1Char( '/' ) + entry[ FileName ].toString().

Solutions

Nth Dimension recommends that the vendor supplied patches should be applied.

History

On 29th June 2011, Nth Dimension contacted the KDE security team to
report the described vulnerability.

On 1st July 2011, Jeff Mitchell of KDE confirmed that he had recieved
the report and it had been escalated to Laurent Montel, a KDE developer
working on Ark to determine the impact. Laurent examined the Nth
Dimension supplied test case to understand the the full extent
of the problem.

On 25th July 2011, Jeff Mitchell contacted oss-security on behalf of
the KDE security team to request a CVE for this vulnerability which was
duely assigned. Following the assigment of a CVE for this issue, Nth
Dimension and KDE liased to establish a date for final publication
of the advisory and
patches.

At this point Raphael Kubo da Costa of KDE took ownership of the issue.
Raphael and Nth Dimension exchanged a number of emails where various
proposed solutions were discussed before the final patch was agreed on
the 23rd September 2011. At this point it was confirmed that a
coordinated disclosure would occur on the 3rd October 2011.

Current

As of the 4th October 2011, the state of the vulnerabilities is
believed to be as follows. A patch has been developed which it is
successfully mitigates the issue identified. KDE packaging teams
have been notified and vendor specific patches should already be
available.

Thanks

Nth Dimension would like to thank Laurent, Jeff and Raphael of KDE for
the way they worked to resolve the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJOjpvAAAoJEPJhpTVyySo7d1QP/AkR71/A+PndCvNRuCiAtJN8
kTCOoPqcTRgpPCvllAME52OJYBfJJhtLBYF4uNZgbkvoqZhAD4BdG0Wpdr9QmwBK
olg7l2T8SAzbJBFjpuomon9Fug/LePcLCApLDCmDTcMYCEOBoeXnYm/+coIxjgFZ
aTARpYtuccSVA93LpuHZ7T7cPNKqWvD2myReqO7OrFe7FcOAOWvLeHIUppaW4z3S
V6Tqzc0XQs8Qy8ksyINuFlZVs+wP62sry9NToeqxbO7IU3+4S2uGEB5la/bxrb2j
hSZwnHmKI30A9hkDNR4jxQO7BP4wXQ0lfSd2iS2sLTJr7hW8kT8qcLjcmydeodON
m5wbZDmU25JtoSPwI2Ei88KqjicGH2NKXcKgXd3S/vi/6himYtnKQ7slsgp6t+KO
oNpwvafl2R70LHQB61JzVSEYEuFR3e4YHjtaHdkXDIBrZyDKQn5f3kABoNHu66c1
1kdCEqf/tw7s2vYbxNPIbkc5iep50SQlQDwB4mRy7/1h9fcRbQXGflN4ER8qw6W0
EW97drXfAmPXimE41M5N4yJOwreaPo/rOaroLaMwfL1sYLOMRvIIzvlbQLv4xdNj
phqHoSkxfIFdc7A/ZPb/MMy6n7UOXwyszudF/66sKwxjmyLUGPA34D6hjmAh3KHj
H0DDYuL7M6xqQ9fCH6m/
=dNAb
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAABCAAGBQJOjsdGAAoJEPJhpTVyySo7754QAKewHrpmlp/XC6ATvNTBiXF2
R096IlNBTOwhq7hFL38g5bH+hwC9FGSkqrCQTvk4xObAA0H3jJchYg1QNGdJg1Ia
ifY9sETQLotc53wrj5ceI7zn2vvhM403jrCiW3jVDkuHDIscyCmIF4kvpo+4xfEw
NZZWl6S/aeinwQR+w9vtMbNW0U8xb+uG9Fy+IjFL0Zwrl5A9UEEoIgZyQ8yeQaXo
ztJsMLXcqmqwBv0fPGatgmnX3gunTMiO8K69lRdpOqteYqEoReMXSv1SwbVP557j
kvbs0d269Tskve151mpVAZ5EtORkCJePKEmV3ajRov0pbJPWW2MTy9XUAieJOP1n
u2RGfRIHEe/mvK+0zTVGLCvrqnc0AI/2LfO8dsNEaei7pxtP9Ik3xObNrOK1WFyB
gvMsBthogYkw6OOHtZFJcCMAogsnEjvQZpw9Dd9y6YLPlb/JANyJypWXx9Yp9h9/
MFvaUBVNxfXe5AZBzGShTVD1nMf/X7Rz4IwBKznI0fmgpdfwHIMu4WtGD5X8UQii
gKkf/Qu/xOamfUSYXRkPhXlg82YNTfzNXUO/ri02w2y8DK9WGDjJ/WGD3Nh3FQ/u
JaX/QF/vYsTCnprQVOwfmdyAyxP1BK7n7R5mzT+Lh5X8M/rVxnGTfrOQ10ZHKAFt
f8T4Wr3oYc7XRXKrPza1
=w+Vx
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus