7a69Adv#21 - WinRAR unpack one-folder path disclosure

Type securityvulns
Reporter Securityvulns
Modified 2005-02-04T00:00:00


   7a69ezine Advisories                      7a69Adv#21

http://www.7a69ezine.org [02/02/2005]

Title: WinRAR unpack one-folder path disclosure

Author: Albert Puigsech Galicia - <ripe@7a69ezine.org>

Software: WinRAR

Versions: >= 3.42

Remote: yes

Exploit: yes

Severity: Low

I. Introduction.

WinRAR is an archive manager that can create and decompress ZIP, RAR and other files. You can download this software and get more info about it from http://www.rarlab.com.

II. Description.

WinRAR adds some options to unpack files directly using left-click. The option of extracting files directly in the directory allows you to store the files ina a directory that takes the same name of the compressed file but without the extension, so if the filename is '...zip' and you use this option the uncompressed data will be stored on "../" folder.

III. Exploit

It's realy hard to exploit this issue in a real scenario, because you can't know where the malicious file will. But, for example, if it's on 'C:/temp' you can create any file on the root filesystem.

Windows does not allow to create a files with the apropiate name to exploit the vulnerability, but you can use other sistem to do it.

IV. Patch

No oficial patch avaliable. Be careful unpacking untrusted files.

V. Timeline

02/01/2005 - Bug discovered 16/01/2005 - Mail sent to dev@rarlab.com 16/01/2005 - Fast vendor response 02/02/2005 - Advisor released

VI. Extra data

You can find more 7a69ezine advisories on this following link:

http://www.7a69ezine.org/avisos/propios [spanish info]