[30082] in bugtraq
unzip directory traversal revisited
daemon@ATHENA.MIT.EDU (jelmer)
Sat May 10 14:52:39 2003
Message-ID: <006401c3167b$d7dfc220$0200000a@pluto>
From: "jelmer" <jelmer@kuperus.xs4all.nl>
To: <bugtraq@securityfocus.com>
Date: Sat, 10 May 2003 00:39:24 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0061_01C3168C.9AA80140"
------=_NextPart_000_0061_01C3168C.9AA80140
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
unzip directory traversal revisited
problem:
well I kinda stumbled over this when i was looking for something else
A while back some fuss was made over the use of .. sequences in archives
because it allows you to craft
an archive which will trojan your system on extraction
the creators of unzip fixed this but apperently didn't cover all bases
when an archive contains a file like ../JELMER.TXT it will skip it and print
out a message like this
jelmer.zip
warning: skipped "../" path component(s) in jelmer.zip
inflating: JELMER.TXT
however when i call it . \003 ./JELMER.txt it extracts it just fine or \001
etc
unzip jelmer.zip
Archive: jelmer.zip
extracting: ../JELMER.TXT
as it basicly ignores these characters
example:
i attached a zip file that illustrates the problem
it was hacked up using a hex editor
vendor status:
i just emailed Zip-Bugs@lists.wku.edu
tested on :
UnZip 5.50 on a gentoo linux and freebsd
------=_NextPart_000_0061_01C3168C.9AA80140
Content-Type: application/octet-stream;
name="jelmer.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="jelmer.zip"
UEsDBAoAAAAAAGiIqS7bygMgGQAAABkAAAAOAAAALgMuL0pFTE1FUi5UWFRUaGlzIGdldHMgdW56
aXBwZWQgdG8gLi4vUEsBAhQACgAAAAAAaIipLtvKAyAZAAAAGQAAAA4AAAAAAAAAAQAgAAAAAAAA
AC4DLi9KRUxNRVIuVFhUUEsFBgAAAAABAAEAPAAAAEUAAAAAAA==
------=_NextPart_000_0061_01C3168C.9AA80140--
