lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1f29b89404101206496ea9ef5@mail.gmail.com>
From: umphress at gmail.com (Chris Umphress)
Subject: unarj dir-transversal bug (../../../..)

> yes, but this is the point! when i happen to unarj a package with the
> unarj version you have as user "root", then unarj *will* have the
> permission to overwrite /etc or whatever. it won't kindly ask but just
> overwrite, or does it? (you've shown unarj in action with sudo when
> test.txt was non-existant).

arj does ask if you want to overwrite an existing file.

--------------- snip ----------------
chris@...is:/home$ ls -l /usr/local/bin/test.txt
/usr/bin/ls: /usr/local/bin/test.txt: No such file or directory
chris@...is:/home$ ./chris/test/arj x chris/test/test.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004]

Processing archive: chris/test/test.arj
Archive created: 2004-10-11 12:22:42, modified: 2004-10-11 12:22:42
Error (13): Permission denied
Can't open ../usr/local/bin/test.txt
OK to extract to a new filename?
Break signaled!
chris@...is:/home$ sudo ./chris/test/arj x chris/test/test.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004]

Processing archive: chris/test/test.arj
Archive created: 2004-10-11 12:22:42, modified: 2004-10-11 12:22:42
Extracting ../../usr/local/bin/test.txt to ../usr/local/bin/test.txt   OK 
     1 file(s)
chris@...is:/home$ sudo ./chris/test/arj x chris/test/test.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004]

Processing archive: chris/test/test.arj
Archive created: 2004-10-11 12:22:42, modified: 2004-10-11 12:22:42
ARJ         13 04-10-11 12:21:48, DISK         13 04-10-11 12:21:48
../usr/local/bin/test.txt  is same or newer, Overwrite?
Break signaled!
chris@...is:/home$ ls -l /usr/local/bin/test.txt
-rw-r--r--  1 root root 13 2004-10-11 12:21 /usr/local/bin/test.txt
--------------------------------------

I found a copy of unarj [2.63] and repeated the same test (using
unarj). It tried to extract with "../../" where arj had only used
"../". "unarj" had one other difference from "arj" that I noticed.
When it encountered a file that already existed, it automatically
skipped extraction of that file.

On a side-note, ARJ is more of a dos/windows archiving format. I had
assumed that noone in their right mind would run this tool as root on
an archive that they had not created. Every *nix package format that I
can find is based off of tar/gzip or the RPM file format. I guess
there is always a possibility that someone will run unarj as root,
though.

-- 
Chris Umphres <http://daga.dyndns.org/>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ