18th Dec 2002 [SBWID-5886]
COMMAND
Directory traversal vulnerabilities in several archivers
SYSTEMS AFFECTED
GNU cpio 2.5
http://www.gnu.org/
tested on Linux 2.2.19
Winzip Computing WinZip 8.1
http://www.winzip.com/
evaluation copy tested on Windows 98 SE
PKWARE PKZip 5.00.01
http://www.pkzip.com/
evaluation copy tested on Windows 98 SE
Aladdin Systems (former Ontrack) ZipMagic 4.0
http://www.aladdinsys.com/
evaluation copy tested on Windows 98 SE
Eugene Roshal's WinRAR 3.00
http://www.rarlabs.com/
evaluation copy tested on Windows 98 SE
Speedproject Squeez 4.0
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE
Speedproject Squeez 4.1
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE
Speedproject SpeedCommander 8.1
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE
Speedproject SpeedCommander 9.0
http://www.speedproject.de/
evaluation copy tested on Windows 98 SE
PROBLEM
Florian "sticky bit" Schafferhans [fs@computer-security.de]
[http://www.computer-security.de/] says :
The .tar file format is widely used on UNIX(-like) able to stores
almost any information, such as name, owner, mode, etc., of several
files including their content and sum them up in one file originally to
be stored on tapes for backups e. g.. It is also commonly used to get a
bunch of files together and compress them afterwards with common
compression programs such as gzip, as the .gz e. g. doesn't support the
summary of several files, e. g. to transfer file sets through networks
with less overhead and more comfort. Note that the .tar file format
itself doesn't support any compression at all.
Several programs capable of processing .tar files are vulnerable to
directory traversals under certain circumstances. This may result in
overwritten files, in the best case, in smuggled in malware in the
worst.
Details
=======
The .tar file format works in record blocks usually of 512 bytes sizes.
for each file in the archive there is a header record in which
attributes like the file's name, mode, size, type, the file owner's
uid, gid, uname, gname and several other information. If necessary the
following records store the file's content.
Several programs do not handle the file's path, stored in the first 100
bytes in plain ASCII and filled up with NULL-bytes if necessary of such
a header record block carefully enough. If a path's string contains a
leading slash ('/') most programs strip them off by default when
unpacking an archive (even if providing to leave it e. g. if restoring
a system after a backup this could be useful) to avoid files to be
overwritten by accident. But they don't check and remove directory up
strings ('../') but open directly the given path, without any warning.
This way it would be possible to place anywhere in the system, e. g.
overwriting a binary of a server software which contains a back door to
gain system access in a further step or just leave crap anywhere in the
system it's all up in guessing the right path and be lucky that the
unpacking software doesn't show what's going on or the user not note it
properly.
The circumstance that unpacking .tar files is often the first action
when installing new software and one's logged in as super user
therefore to have the proper privileges make things even worse.
Note that a dot-dot-backslash ('..\') will have the same effect on a
Windows system.
The following gives a description how the circumstances the affected
programs are vulnerable in detail:
GNU cpio 2.5
This software is fully affected.
Winzip Computing WinZip 8.1
When the option "Extract folder names" in the extract dialogue is
checked (usually one will use this, otherwise the hole directory
structure would be lost, resulting in an unorganized bunch of files)
the software behaves behaves exactly as described above. The
option is checked by default so also an extraction over the
context menu of a file linked to this software (the menu popping
up when right clicking a file's icon in Windows) is an action
affected.
PKWARE PKZip 5.00.01
This software is fully affected.
Aladdin Systems (former Ontrack) ZipMagic 4.0
This software is fully affected.
Eugene Roshal's WinRAR 3.00
This software is not affected in the way described above. It just
leaves out any '../' found in a path when extracting .tar files.
The only problem that remains is the display. This program shows an
archive's content similar like most GUIs all files represented by icons,
pretending the archive would be just a normal directory.
All folders of an archive (also the ones not mentioned explicitly but
resulting to the paths of contained files) are displayed as folder
icons. There is one special folder displayed named '..' which will
lead into the folder the archive lays in, then it's possible to browse
this folder or even the whole file system through the software, or
let's you get one level up if you are in a folder of the archive.
Unfortunately a '../' in an archives file name header record will also
be shown as a folder named '..' and lead exactly to the same like
the '..' folder of the software itself. A user so might assume just an
error of the software not being aware that the archive might contain
files not seen or even directory traversal paths. So he might
distribute archives which contains potential dangers (when then
extracted with other programs) without even having the chance to know
about.
Speedproject Squeez 4.0
This software is not affected in the way described above. It will
replace any '../' with a '___' when extracting .tar files.
Unfortunately it also replaces any '../' in the display with a '___'.
So users might not be aware of the circumstance that the archives
contains directory traversal paths and might so distribute archives
containing potential dangers he has no chance to know about.
Speedproject Squeez 4.1
This software is not affected in the way described above. It will
ignore any '../' when extracting .tar files, just leaving this part of
the path away. Unfortunately it also ignores it in the display so
doesn't display a '../' part in a path. So users might not be aware of
the circumstance that the archives contains directory traversal paths and
might so distribute archives containing potential dangers he has no chance
to know about.
Speedproject SpeedCommander 8.1
This software is not affected in the way described above. It will
replace any '../' with a '___' when extracting .tar files.
Unfortunately it also replaces any '../' in the display with a '___'.
So users might not be aware of the circumstance that the archives
contains directory traversal paths and might so distribute archives
containing potential dangers he has no chance to know about.
Speedproject SpeedCommander 9.0
This software is not affected in the way described above. It will
ignore any '../' when extracting .tar files, just leaving this part of
the path away. Unfortunately it also ignores it in the display so
doesn't display a '../' part in a path. So users might not be aware
of the circumstance that the archives contains directory traversal
paths and might so distribute archives containing potential dangers he
has no chance to know about.
SOLUTION
GNU cpio 2.5
As a work-around you could use the -t or --list switch to show the
archive's content and check carefully for '../' or perform something
like cpio -t -F file.tar 2> /dev/null | grep "\.\./" to automate it.
I have not received any information when an update fixing this issue
will be available.
Winzip Computing WinZip 8.1
An fixing the issues update is available under
http://www.winzip.com/wz81sr1.htm.
PKWARE PKZip 5.00.01
Open every archive and check paths carefully. Do not extract out of the
Windows context menu (right click on a file's icon). I have not
received any information when an update fixing this issue will be
available.
Aladdin Systems (former Ontrack) ZipMagic 4.0
Open every archive and check paths carefully. Do not extract out of the
Windows context menu (right click on a file's icon). I have not
received any information when an update fixing this issue will be
available.
Eugene Roshal's WinRAR 3.00
Be suspicious when you see the '..' folder icon twice in an archive.
There's already a new version released fixing this issue, WinRAR 3.10
beta 3. It is available under
http://www.rarlabs.com/.
Speedproject Squeez 4.0
Be suspicious when you see a folder named '___' in an archive. There is
already an new release available under
http://www.speedproject.de/enu/index.html,
Squeez 4.1. But unfortunately in the new release the problems are even
worse (see details section).
Speedproject Squeez 4.1
Sorry but it seems to me like there no chance other than change to an
other software for now. I have not received any information when an
update fixing this issue will be available.
Speedproject SpeedCommander 8.1
Be suspicious when you see a folder named '___' in an archive. There is
already an new release available under
http://www.speedproject.de/enu/index.html,
SpeedCommander 9.0. But unfortunatly in the new release the problems
are even worse (see details section).
Speedproject SpeedCommander 9.0
Sorry but it seems to me like there no chance other than change to an
other software for now. I have not received any information when an
update fixing this issue will be available.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
