| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: evilninja at gmx.net (evilninja)
Subject: unarj dir-transversal bug (../../../..)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris Umphress wrote:
> chris@...is:~/test$ unarj x test.arj
> UNARJ (Demo version) 2.30 Copyright (c) 1991 Robert K Jung
>
> Processing archive: test.arj
> Archive date : 2012-11-10 27:44:04
> Can't open ../../usr/local/bin/test.txt
> 0 file(s)
>
> Found 1 error(s)!
hm, strange. i have:
evil@...ep:~$ unarj x test.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [27 Jun 2004]
Processing archive: test.arj
Archive created: 2004-10-12 01:15:49, modified: 2004-10-12 01:15:49
usr/bin/namei, Create this directory? Yes
Extracting ../usr/bin/namei to usr/bin/namei OK
1 file(s)
so it's not taking all the ../ into account and also an .arj created with
full path is created in $PWD. arj + unarj are both v3.10.
> Apart from it removing one "../" from the filename I gave it, it
> worked exactly as I expected.
...somehow i don't expect programs to mess with /usr. not as a user and
not as root.
/me wonders about which version of arj/unarj "doubles" is talking about....
- --
BOFH excuse #303:
fractal radiation jamming the backbone
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBaxdjC/PVm5+NVoYRAgBNAJ9tUbGF0NCqM4sIY9mWHsNvGrd9NwCfb+qj
F+w1GfecVnGP7R0TQoQFC+I=
=eEJw
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists