lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Feb 2005 08:16:47 +0000
From: Albert Puigsech Galicia <ripe@...9ezine.org>
To: bugtraq@...urityfocus.com
Subject: 7a69Adv#19 - ZipGenius unpack path disclosure
- ------------------------------------------------------------------
7a69ezine Advisories 7a69Adv#19
- ------------------------------------------------------------------
http://www.7a69ezine.org [02/02/2005]
- ------------------------------------------------------------------
Title: ZipGenius unpack path disclosure
Author: Albert Puigsech Galicia - <ripe@...9ezine.org>
Software: ZipGenius
Versions: >= 5.5
Remote: yes
Exploit: yes
Severity: Medium-High
- ------------------------------------------------------------------
I. Introduction.
ZipGenius is a file compression suite that supports more than 20 formats of
compressed archives including RAR, ARJ, ACE, CAB, SQX and ZIP. It's free and
easy to use, and you can download it from http://www.zipgenius.it.
II. Description.
ZipGenius does not check before unpacks if the file has "../" on its name,
concecuently it's posible to create a malicious ZIP file that allocate files
on arbitary folders. Other formats instead ZIP may be also afected.
III. Exploit
If you try to overwrite a file ZipGenius shows a confirmation message, so
it's better for explotation purposes to create new files, but It's not a
problem to execute arbitrari code because you can create, for example,
startup files on 'C:\Documents and settings\All Users\Start
menu\Programs\Start' that will be executed after next user's login.
It's easy to create a malicious Zip file with some UNIX tools as seen in the
following sample:
$ touch ..o..o..o..o..o..o..ofile
$ zip malicious.zip ..o..o..o..o..o..o..ofile
$ ht malicious.zip #Hexadecimal editor to change 'o' by '/' on the filename.
$ touch dummy
$ zip malicious.zip dummy #To recalculate CRC.
If you don't know how to do it you can use the ZIP file attached to check the
vulnerability.
IV. Patch
Update to ZipGenius 6 Beta.
V. Timeline
02/01/2005 - Bug discovered
10/01/2005 - Mail sent to zginfo@...genius.it
16/01/2005 - Mail sent to zginfo@...genius.it again
18/01/2005 - Vendor response
20/01/2005 - Solved in beta version
02/02/2005 - Advisor released
VI. Extra data
You can find more 7a69ezine advisories on this following link:
http://www.7a69ezine.org/avisos/propios [spanish info]
Download attachment "malicious.zip" of type "application/x-zip" (302 bytes)
Powered by blists - more mailing lists