UnZip Invalid Character Double Dot Arbitrary File Write

2003-05-09T09:33:43
ID OSVDB:2168
Type osvdb
Reporter Jelmer(jelmer@kuperus.xs4all.nl)
Modified 2003-05-09T09:33:43

Description

Vulnerability Description

UnZip contains a flaw that allows a remote attacker to potentially overwrite files and execute arbitrary programs on a target system. The issue is due to the module not properly filtering encoded path names when extracting files. This allows an attacker to create a specially crafted .zip file that will extract files to arbitrary locations including the system root directory.

Solution Description

Upgrade to UnZip version 5.51, WinRAR 3.30 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

UnZip contains a flaw that allows a remote attacker to potentially overwrite files and execute arbitrary programs on a target system. The issue is due to the module not properly filtering encoded path names when extracting files. This allows an attacker to create a specially crafted .zip file that will extract files to arbitrary locations including the system root directory.

Manual Testing Notes

Use the following encoding instead of "../": ". \003 ./[filename]"

References:

Vendor URL: http://www.rarlabs.com/ Vendor URL: http://www.info-zip.org/ Vendor Specific Advisory URL Secunia Advisory ID:9790 Other Advisory URL: http://secunia.com/advisories/8781/ Nessus Plugin ID:12403 Nessus Plugin ID:14056 Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=105259038503175&w=2 Keyword: Directory Traversal ISS X-Force ID: 12004 CVE-2003-0282 Bugtraq ID: 7550