COMMAND
archivers
SYSTEMS AFFECTED
multiple archivers (GNU tar, UnZip, rar, pkzipc)
PROBLEM
3APA3A found following. Archive extraction is usually treated by
users as a safe operation. There are few problems with files
extraction though.
Among them: huge files with high compression ratio are able to
fill memory/disk (see "Antivirus scanner DoS with zip archives"
thread on Vuln-Dev), special device names and special characters
in file names, directory traversal (dot-dot bug). Probably,
directory traversal is most dangerous among this bugs, because it
allows to craft archive which will trojan system on extraction.
This problem is known for software developers, and newer archivers
usually have some kind of protection. But in some cases this
protection is weak and can be bypassed. 3APA3A did very quick
(approx. 30 minutes, so may be he missed something) researches
on few popular archivers. Results are below.
GNU tar (all platforms):
========================
tar below 1.13.19 including latest releases has no any ".." or
absolute path protection. Tar development team was contacted.
They replied they're aware of problem and current development
version 1.13.19 implements some kind of protection but it doesn't
work for most cases due to bug in coding. Exploitation scenario
was passed back to development team. We hope it will work when
1.13.19 will be finally released. See attached patch
(tar-1.13.19.patch).
Info-Zip's UnZip (all platforms):
=================================
All versions have neither .. nor absolute path protection. No
reply from vendor. See attached patch (unzip-5.42.patch).
PKWare's PKZip (Windows):
=========================
Console version was tested. It's vulnerable, if archive is
extracted with -rec (recursive) option. If this option is not
given archive is extracted without directory structure. All
versions up to latest 4.00 are vulnerable. Program is shareware,
no sources available. Vendor contacted but status of patch
unknown.
RARsoft (Eugene Roshal's) RAR (all platforms):
==============================================
Directory traversal protection was implemented in rar 2.02. This
protection can be bypassed. Eugene Roshal was contacted and
replied latest version of rar (2.80) is absolutely safe. It's
true, but 2.02 is latest available version in most Unix ports
(2.80 is available for Windows and Linux, you can use Linux
version if your system supports Linux emulation). Program is
shareware, no sources available.
WinZip (Windows):
=================
Behavior is close to ideal. Console version doesn't extract files
with ".." until special switch is not selected, windowed version
warns user on ".." about possible impacts of such extraction.
Exploitation of path globing and directory traversal under Windows
exploitation is trivial. On most unix system to exploit directory
traversal you should guess level of directory file will be
extracted to. tar and rar are able to create files with
permission different from umask, it makes it possible to create
executables. Only tar overwrites target files without prompt
by default.
Network Associates has found a virus in mid-2000 called
"Bat/Winrip", which uses such a way to replicate. After the
virus has been found by the German NAI Office, some warnings were
send out to both other av companies as well as developers of
packer programs. But it sems that only a few people have taken
steps against this issue in their programs.
The most interesting issue in this virus was, that it was able to
replicate using the extraction routine of a virus scanner: Some
scanners still extract every file of an archive to disk first
(like to C:\TEMP) and after this, they look for a virus inside of
this unzipped file.
Some virus scanners used external unpackers or special DLL
routines for doing this - both using the full path and accepting
".." or "\". Currently, this should have changed now - some
still extract the files first (which is relatively slow, so
scanning everything in memory is more effective), but usually
using a random file name and/or ignoring path statements as far
as we know.
SOLUTION
List content of archive before extraction if archive was obtained
from untrusted source (but have in mind that name of the file can
be with something like ../^H^H^H - do not trust your eyes, use
some program). Never automate archive extraction, or use jail if
you need automation. Be sure never run extraction from user
with elevated privileges.
Wait for vendor patch or use checked archivers or apply attached
patches on your own risk (first one for tar and second one for
unzip):
*** misc.c.orig Sat Jan 13 08:59:29 2001
--- misc.c Mon Jul 9 15:45:09 2001
***************
*** 201,217 ****
{
char const *p = name + FILESYSTEM_PREFIX_LEN (name);
for (;;)
{
! if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
return 1;
do
{
! if (! *p++)
return 0;
}
! while (! ISSLASH (*p));
}
}
--- 201,218 ----
{
char const *p = name + FILESYSTEM_PREFIX_LEN (name);
+ if(ISSLASH (*p) ) return 1;
for (;;)
{
! if (p[0] == '.' && p[1] == '.' && (!p[2] || ISSLASH (p[2])))
return 1;
do
{
! if (! *p)
return 0;
}
! while (! ISSLASH (*p++));
}
}
*** extract.orig Sun Jan 14 00:40:20 2001
--- extract.c Mon Jul 9 14:45:42 2001
***************
*** 154,159 ****
--- 154,161 ----
#ifndef WINDLL
static ZCONST char Far ReplaceQuery[] =
"replace %s? [y]es, [n]o, [A]ll, [N]one, [r]ename: ";
+ static ZCONST char Far TraversalWarning[] =
+ "%s skipped because of directory traversal\n";
static ZCONST char Far AssumeNone[] = " NULL\n(assuming [N]one)\n";
static ZCONST char Far NewNameQuery[] = "new name: ";
static ZCONST char Far InvalidResponse[] = "error: invalid response [%c]\n";
***************
*** 877,882 ****
--- 879,893 ----
} /* end switch (*answerbuf) */
#endif /* ?WINDLL */
} /* end if (query) */
+ if(*__G__ G.filename=='/' || !strncmp(__G__ G.filename, "../", 3)
+ || strstr(__G__ G.filename,"/../")){
+ skip_entry = SKIP_Y_EXISTING;
+ #ifndef WINDLL
+ Info(slide, 0x81, ((char *)slide,
+ LoadFarString(TraversalWarning),
+ FnFilter1(G.filename)));
+ #endif
+ }
if (skip_entry != SKIP_NO) {
#ifdef WINDLL
if (skip_entry == SKIP_Y_EXISTING) {