Full Disclosure mailing list archives
Re: unarj dir-transversal bug (../../../..)
From: Chris Umphress <umphress () gmail com>
Date: Tue, 12 Oct 2004 06:49:18 -0700
yes, but this is the point! when i happen to unarj a package with the unarj version you have as user "root", then unarj *will* have the permission to overwrite /etc or whatever. it won't kindly ask but just overwrite, or does it? (you've shown unarj in action with sudo when test.txt was non-existant).
arj does ask if you want to overwrite an existing file.
--------------- snip ----------------
chris@chris:/home$ ls -l /usr/local/bin/test.txt
/usr/bin/ls: /usr/local/bin/test.txt: No such file or directory
chris@chris:/home$ ./chris/test/arj x chris/test/test.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004]
Processing archive: chris/test/test.arj
Archive created: 2004-10-11 12:22:42, modified: 2004-10-11 12:22:42
Error (13): Permission denied
Can't open ../usr/local/bin/test.txt
OK to extract to a new filename?
Break signaled!
chris@chris:/home$ sudo ./chris/test/arj x chris/test/test.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004]
Processing archive: chris/test/test.arj
Archive created: 2004-10-11 12:22:42, modified: 2004-10-11 12:22:42
Extracting ../../usr/local/bin/test.txt to ../usr/local/bin/test.txt OK
1 file(s)
chris@chris:/home$ sudo ./chris/test/arj x chris/test/test.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004]
Processing archive: chris/test/test.arj
Archive created: 2004-10-11 12:22:42, modified: 2004-10-11 12:22:42
ARJ 13 04-10-11 12:21:48, DISK 13 04-10-11 12:21:48
../usr/local/bin/test.txt is same or newer, Overwrite?
Break signaled!
chris@chris:/home$ ls -l /usr/local/bin/test.txt
-rw-r--r-- 1 root root 13 2004-10-11 12:21 /usr/local/bin/test.txt
--------------------------------------
I found a copy of unarj [2.63] and repeated the same test (using
unarj). It tried to extract with "../../" where arj had only used
"../". "unarj" had one other difference from "arj" that I noticed.
When it encountered a file that already existed, it automatically
skipped extraction of that file.
On a side-note, ARJ is more of a dos/windows archiving format. I had
assumed that noone in their right mind would run this tool as root on
an archive that they had not created. Every *nix package format that I
can find is based off of tar/gzip or the RPM file format. I guess
there is always a possibility that someone will run unarj as root,
though.
--
Chris Umphres <http://daga.dyndns.org/>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- unarj dir-transversal bug (../../../..) doubles (Oct 11)
- Re: unarj dir-transversal bug (../../../..) Chris Umphress (Oct 11)
- <Possible follow-ups>
- Re: unarj dir-transversal bug (../../../..) doubles (Oct 11)
- Re: unarj dir-transversal bug (../../../..) Chris Umphress (Oct 11)
- Re: unarj dir-transversal bug (../../../..) evilninja (Oct 11)
- Re: unarj dir-transversal bug (../../../..) Chris Umphress (Oct 11)
- Re: unarj dir-transversal bug (../../../..) evilninja (Oct 12)
- Re: unarj dir-transversal bug (../../../..) Chris Umphress (Oct 12)
- Re: unarj dir-transversal bug (../../../..) Christian Kujau (Oct 12)
- Re: unarj dir-transversal bug (../../../..) Chris Umphress (Oct 11)
- Re: unarj dir-transversal bug (../../../..) evilninja (Oct 12)
- Re: unarj dir-transversal bug (../../../..) Cedric Blancher (Oct 12)
- Re: [OT] unarj dir-transversal bug (../../../..) evilninja (Oct 12)
- Re: unarj dir-transversal bug (../../../..) Harry de Grote (Oct 12)