('binary' encoding is not supported, stored as-is) Subject Directory traversal vulnerabilities in several archivers processing .tar files Author Florian "sticky bit" Schafferhans <fs@computer-security.de> http://www.computer-security.de/ Date 17. December 2002 Affected GNU cpio 2.5 http://www.gnu.org/ tested on Linux 2.2.19 Winzip Computing WinZip 8.1 http://www.winzip.com/ evaluation copy tested on Windows 98 SE PKWARE PKZip 5.00.01 http://www.pkzip.com/ evaluation copy tested on Windows 98 SE Aladdin Systems (former Ontrack) ZipMagic 4.0 http://www.aladdinsys.com/ evaluation copy tested on Windows 98 SE Eugene Roshal's WinRAR 3.00 http://www.rarlabs.com/ evaluation copy tested on Windows 98 SE Speedproject Squeez 4.0 http://www.speedproject.de/ evaluation copy tested on Windows 98 SE Speedproject Squeez 4.1 http://www.speedproject.de/ evaluation copy tested on Windows 98 SE Speedproject SpeedCommander 8.1 http://www.speedproject.de/ evaluation copy tested on Windows 98 SE Speedproject SpeedCommander 9.0 http://www.speedproject.de/ evaluation copy tested on Windows 98 SE Summary The .tar file format is widely used on UNIX(-like) able to stores almost any information, such as name, owner, mode, etc., of several files including their content and sum them up in one file originally to be stored on tapes for backups e. g.. It is also commonly used to get a bunch of files together and compress them afterwards with common compression programs such as gzip, as the .gz e. g. doesn't support the summary of several files, e. g. to transfer file sets through networks with less overhead and more comfort. Note that the .tar file format itself doesn't support any compression at all. Several programs capable of processing .tar files are vulnerable to directory traversals under certain circumstances. This may result in overwritten files, in the best case, in smuggled in malware in the worst. Details The .tar file format works in record blocks usually of 512 bytes sizes. for each file in the archive there is a header record in which attributes like the file's name, mode, size, type, the file owner's uid, gid, uname, gname and several other information. If necessary the following records store the file's content. Several programs do not handle the file's path, stored in the first 100 bytes in plain ASCII and filled up with NULL-bytes if necessary of such a header record block carefully enough. If a path's string contains a leading slash ('/') most programs strip them off by default when unpacking an archive (even if providing to leave it e. g. if restoring a system after a backup this could be useful) to avoid files to be overwritten by accident. But they don't check and remove directory up strings ('../') but open directly the given path, without any warning. This way it would be possible to place anywhere in the system, e. g. overwriting a binary of a server software which contains a back door to gain system access in a further step or just leave crap anywhere in the system it's all up in guessing the right path and be lucky that the unpacking software doesn't show what's going on or the user not note it properly. The circumstance that unpacking .tar files is often the first action when installing new software and one's logged in as super user therefore to have the proper privileges make things even worse. Note that a dot-dot-backslash ('..\') will have the same effect on a Windows system. The following gives a description how the circumstances the affected programs are vulnerable in detail: GNU cpio 2.5 This software is fully affected. Winzip Computing WinZip 8.1 When the option "Extract folder names" in the extract dialogue is checked (usually one will use this, otherwise the hole directory structure would be lost, resulting in an unorganized bunch of files) the software behaves behaves exactly as described above. The option is checked by default so also an extraction over the context menu of a file linked to this software (the menu popping up when right clicking a file's icon in Windows) is an action affected. PKWARE PKZip 5.00.01 This software is fully affected. Aladdin Systems (former Ontrack) ZipMagic 4.0 This software is fully affected. Eugene Roshal's WinRAR 3.00 This software is not affected in the way described above. It just leaves out any '../' found in a path when extracting .tar files. The only problem that remains is the display. This program shows an archive's content similar like most GUIs all files represented by icons, pretending the archive would be just a normal directory. All folders of an archive (also the ones not mentioned explicitly but resulting to the paths of contained files) are displayed as folder icons. There is one special folder displayed named '..' which will lead into the folder the archive lays in, then it's possible to browse this folder or even the whole file system through the software, or let's you get one level up if you are in a folder of the archive. Unfortunately a '../' in an archives file name header record will also be shown as a folder named '..' and lead exactly to the same like the '..' folder of the software itself. A user so might assume just an error of the software not being aware that the archive might contain files not seen or even directory traversal paths. So he might distribute archives which contains potential dangers (when then extracted with other programs) without even having the chance to know about. Speedproject Squeez 4.0 This software is not affected in the way described above. It will replace any '../' with a '___' when extracting .tar files. Unfortunately it also replaces any '../' in the display with a '___'. So users might not be aware of the circumstance that the archives contains directory traversal paths and might so distribute archives containing potential dangers he has no chance to know about. Speedproject Squeez 4.1 This software is not affected in the way described above. It will ignore any '../' when extracting .tar files, just leaving this part of the path away. Unfortunately it also ignores it in the display so doesn't display a '../' part in a path. So users might not be aware of the circumstance that the archives contains directory traversal paths and might so distribute archives containing potential dangers he has no chance to know about. Speedproject SpeedCommander 8.1 This software is not affected in the way described above. It will replace any '../' with a '___' when extracting .tar files. Unfortunately it also replaces any '../' in the display with a '___'. So users might not be aware of the circumstance that the archives contains directory traversal paths and might so distribute archives containing potential dangers he has no chance to know about. Speedproject SpeedCommander 9.0 This software is not affected in the way described above. It will ignore any '../' when extracting .tar files, just leaving this part of the path away. Unfortunately it also ignores it in the display so doesn't display a '../' part in a path. So users might not be aware of the circumstance that the archives contains directory traversal paths and might so distribute archives containing potential dangers he has no chance to know about. Solution GNU cpio 2.5 As a work-around you could use the -t or --list switch to show the archive's content and check carefully for '../' or perform something like cpio -t -F file.tar 2> /dev/null | grep "\.\./" to automate it. I have not received any information when an update fixing this issue will be available. Winzip Computing WinZip 8.1 An fixing the issues update is available under http://www.winzip.com/wz81sr1.htm. PKWARE PKZip 5.00.01 Open every archive and check paths carefully. Do not extract out of the Windows context menu (right click on a file's icon). I have not received any information when an update fixing this issue will be available. Aladdin Systems (former Ontrack) ZipMagic 4.0 Open every archive and check paths carefully. Do not extract out of the Windows context menu (right click on a file's icon). I have not received any information when an update fixing this issue will be available. Eugene Roshal's WinRAR 3.00 Be suspicious when you see the '..' folder icon twice in an archive. There's already a new version released fixing this issue, WinRAR 3.10 beta 3. It is available under http://www.rarlabs.com/. Speedproject Squeez 4.0 Be suspicious when you see a folder named '___' in an archive. There is already an new release available under http://www.speedproject.de/enu/index.html, Squeez 4.1. But unfortunately in the new release the problems are even worse (see details section). Speedproject Squeez 4.1 Sorry but it seems to me like there no chance other than change to an other software for now. I have not received any information when an update fixing this issue will be available. Speedproject SpeedCommander 8.1 Be suspicious when you see a folder named '___' in an archive. There is already an new release available under http://www.speedproject.de/enu/index.html, SpeedCommander 9.0. But unfortunatly in the new release the problems are even worse (see details section). Speedproject SpeedCommander 9.0 Sorry but it seems to me like there no chance other than change to an other software for now. I have not received any information when an update fixing this issue will be available. Related Directory traversal and path globing in multiple archivers http://online.securityfocus.com/archive/1/196445 Special devices access in multiple archivers http://online.securityfocus.com/archive/1/196965
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 12:19:17 PST