COMMAND

    archivers

SYSTEMS AFFECTED

    multiple archivers (GNU tar, UnZip, rar, pkzipc)

PROBLEM

    3APA3A found following.  Archive extraction is usually treated  by
    users as  a safe  operation.   There are  few problems  with files
    extraction though.

    Among them:  huge files  with high  compression ratio  are able to
    fill memory/disk  (see "Antivirus  scanner DoS  with zip archives"
    thread on Vuln-Dev), special  device names and special  characters
    in  file  names,  directory  traversal  (dot-dot  bug).  Probably,
    directory traversal is most dangerous among this bugs, because  it
    allows to craft  archive which will  trojan system on  extraction.
    This problem is known for software developers, and newer archivers
    usually have  some kind  of protection.   But in  some cases  this
    protection is  weak and  can be  bypassed.   3APA3A did very quick
    (approx. 30  minutes, so  may be  he missed  something) researches
    on few popular archivers.  Results are below.

    GNU tar (all platforms):
    ========================
    tar below  1.13.19 including  latest releases  has no  any ".." or
    absolute path  protection.   Tar development  team was  contacted.
    They  replied  they're  aware  of  problem and current development
    version 1.13.19 implements some kind of protection but it  doesn't
    work for most cases due  to bug in coding.   Exploitation scenario
    was passed back to  development team.  We  hope it will work  when
    1.13.19   will   be   finally   released.    See   attached  patch
    (tar-1.13.19.patch).

    Info-Zip's UnZip (all platforms):
    =================================
    All versions  have neither  .. nor  absolute path  protection.  No
    reply from vendor.  See attached patch (unzip-5.42.patch).

    PKWare's PKZip (Windows):
    =========================
    Console  version  was  tested.   It's  vulnerable,  if  archive is
    extracted with  -rec (recursive)  option.   If this  option is not
    given  archive  is  extracted  without  directory  structure.  All
    versions up to latest 4.00 are vulnerable.  Program is  shareware,
    no  sources  available.   Vendor  contacted  but  status  of patch
    unknown.

    RARsoft (Eugene Roshal's) RAR (all platforms):
    ==============================================
    Directory traversal protection was implemented in rar 2.02.   This
    protection  can  be  bypassed.   Eugene  Roshal  was contacted and
    replied latest  version of  rar (2.80)  is absolutely  safe.  It's
    true, but  2.02 is  latest available  version in  most Unix  ports
    (2.80  is  available  for  Windows  and  Linux,  you can use Linux
    version  if  your  system  supports  Linux emulation).  Program is
    shareware, no sources available.

    WinZip (Windows):
    =================
    Behavior is close to ideal.  Console version doesn't extract files
    with ".." until special  switch is not selected,  windowed version
    warns user on ".." about possible impacts of such extraction.

    Exploitation of path globing and directory traversal under Windows
    exploitation is trivial.  On most unix system to exploit directory
    traversal  you  should  guess  level  of  directory  file  will be
    extracted  to.   tar  and  rar  are  able  to  create  files  with
    permission different from  umask, it makes  it possible to  create
    executables.   Only  tar  overwrites  target  files without prompt
    by default.

    Network  Associates  has   found  a  virus   in  mid-2000   called
    "Bat/Winrip",  which  uses  such  a  way  to replicate.  After the
    virus has been found by the German NAI Office, some warnings  were
    send  out  to  both  other  av  companies as well as developers of
    packer programs.  But  it sems that only  a few people have  taken
    steps against this issue in their programs.

    The most interesting issue in this virus was, that it was able  to
    replicate using the  extraction routine of  a virus scanner:  Some
    scanners still  extract every  file of  an archive  to disk  first
    (like to C:\TEMP) and after this, they look for a virus inside  of
    this unzipped file.

    Some  virus  scanners  used  external  unpackers  or  special  DLL
    routines for doing this -  both using the full path  and accepting
    ".."  or  "\".   Currently,  this  should  have changed now - some
    still  extract  the  files  first  (which  is  relatively slow, so
    scanning  everything  in  memory  is  more effective), but usually
    using a random  file name and/or  ignoring path statements  as far
    as we know.

SOLUTION

    List content of archive before extraction if archive was  obtained
    from untrusted source (but have in mind that name of the file  can
    be with something like ../^H^H^H   -  do not trust your  eyes, use
    some program).  Never automate archive extraction, or use jail  if
    you  need  automation.   Be  sure  never  run extraction from user
    with elevated privileges.

    Wait for vendor patch or  use checked archivers or apply  attached
    patches on your  own risk (first  one for tar  and second one  for
    unzip):

    *** misc.c.orig	Sat Jan 13 08:59:29 2001
    --- misc.c	Mon Jul  9 15:45:09 2001
    ***************
    *** 201,217 ****
      {
        char const *p = name + FILESYSTEM_PREFIX_LEN (name);
    
        for (;;)
          {
    !       if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
  	    return 1;
    
            do
  	    {
    ! 	  if (! *p++)
  	        return 0;
  	    }
    !       while (! ISSLASH (*p));
          }
      }
    
    --- 201,218 ----
      {
        char const *p = name + FILESYSTEM_PREFIX_LEN (name);
    
    +   if(ISSLASH (*p) ) return 1;
        for (;;)
          {
    !       if (p[0] == '.' && p[1] == '.'  && (!p[2] || ISSLASH (p[2])))
  	    return 1;
    
            do
  	    {
    ! 	  if (! *p)
  	        return 0;
  	    }
    !       while (! ISSLASH (*p++));
          }
      }
    
    *** extract.orig	Sun Jan 14 00:40:20 2001
    --- extract.c	Mon Jul  9 14:45:42 2001
    ***************
    *** 154,159 ****
    --- 154,161 ----
      #ifndef WINDLL
         static ZCONST char Far ReplaceQuery[] =
           "replace %s? [y]es, [n]o, [A]ll, [N]one, [r]ename: ";
    +    static ZCONST char Far TraversalWarning[] =
    +      "%s skipped because of directory traversal\n";
         static ZCONST char Far AssumeNone[] = " NULL\n(assuming [N]one)\n";
         static ZCONST char Far NewNameQuery[] = "new name: ";
         static ZCONST char Far InvalidResponse[] = "error:  invalid response [%c]\n";
    ***************
    *** 877,882 ****
    --- 879,893 ----
                          } /* end switch (*answerbuf) */
      #endif /* ?WINDLL */
                      } /* end if (query) */
    + 		if(*__G__ G.filename=='/' || !strncmp(__G__ G.filename, "../", 3)
    + 		    || strstr(__G__ G.filename,"/../")){
    +                         skip_entry = SKIP_Y_EXISTING;
    + #ifndef WINDLL
    +                     Info(slide, 0x81, ((char *)slide,
    +                       LoadFarString(TraversalWarning),
    +                       FnFilter1(G.filename)));
    + #endif
    + 		}
                      if (skip_entry != SKIP_NO) {
      #ifdef WINDLL
                          if (skip_entry == SKIP_Y_EXISTING) {