100956 2003-05-10 20:46 /42 rader/ jelmer <jelmer@kuperus.xs4all.nl>
Importerad: 2003-05-10 20:46 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4843>
Ärende: unzip directory traversal revisited
------------------------------------------------------------
unzip directory traversal revisited
problem:
well I kinda stumbled over this when i was looking for something else
A while back some fuss was made over the use of .. sequences in
archives because it allows you to craft an archive which will trojan
your system on extraction the creators of unzip fixed this but
apperently didn't cover all bases
when an archive contains a file like ../JELMER.TXT it will skip it
and print out a message like this
jelmer.zip
warning: skipped "../" path component(s) in jelmer.zip
inflating: JELMER.TXT
however when i call it . \003 ./JELMER.txt it extracts it just fine
or \001 etc
unzip jelmer.zip
Archive: jelmer.zip
extracting: ../JELMER.TXT
as it basicly ignores these characters
example:
i attached a zip file that illustrates the problem
it was hacked up using a hex editor
vendor status:
i just emailed Zip-Bugs@lists.wku.edu
tested on :
UnZip 5.50 on a gentoo linux and freebsd
(100956) /jelmer <jelmer@kuperus.xs4all.nl>/(Ombruten)
Bilaga (application/octet-stream) i text 100957
100957 2003-05-10 20:46 /3 rader/ jelmer <jelmer@kuperus.xs4all.nl>
Bilagans filnamn: "jelmer.zip"
Importerad: 2003-05-10 20:46 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4844>
Bilaga (text/plain) till text 100956
Ärende: Bilaga (jelmer.zip) till: unzip directory traversal revisited
------------------------------------------------------------
PK��
�����h©.ÛÊ� ������������.�./JELMER.TXTThis gets unzipped to ../PK����
�����h©.ÛÊ� ������������������ �������.�./JELMER.TXTPK����������<���E�����
(100957) /jelmer <jelmer@kuperus.xs4all.nl>/--------