| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1f29b894041011203027a29163@mail.gmail.com> From: umphress at gmail.com (Chris Umphress) Subject: unarj dir-transversal bug (../../../..) > evil@...ep:~$ unarj x test.arj > ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [27 Jun 2004] > > Processing archive: test.arj > Archive created: 2004-10-12 01:15:49, modified: 2004-10-12 01:15:49 > usr/bin/namei, Create this directory? Yes > Extracting ../usr/bin/namei to usr/bin/namei OK > 1 file(s) > > so it's not taking all the ../ into account and also an .arj created with > full path is created in $PWD. arj + unarj are both v3.10. Good point. I tried extracting again with 3.10, and it only leaves the one "../" on the front. > ...somehow i don't expect programs to mess with /usr. not as a user and > not as root. I just picked /usr, it could have been /etc, /var or any other standard directory that every *nix distribution has. Regardless, if I try to make unarj write to a directory that I don't have the neccessary permissions for, it asks me to pick an alternate location to extract to. > /me wonders about which version of arj/unarj "doubles" is talking about.... I don't see a problem, but it would be interesting to see which version "doubles" is refering to. -- Chris Umphres <http://daga.dyndns.org/>
Powered by blists - more mailing lists