Full Disclosure mailing list archives
Re: unarj dir-transversal bug (../../../..)
From: Chris Umphress <umphress () gmail com>
Date: Tue, 12 Oct 2004 06:49:18 -0700
yes, but this is the point! when i happen to unarj a package with the unarj version you have as user "root", then unarj *will* have the permission to overwrite /etc or whatever. it won't kindly ask but just overwrite, or does it? (you've shown unarj in action with sudo when test.txt was non-existant).
arj does ask if you want to overwrite an existing file. --------------- snip ---------------- chris@chris:/home$ ls -l /usr/local/bin/test.txt /usr/bin/ls: /usr/local/bin/test.txt: No such file or directory chris@chris:/home$ ./chris/test/arj x chris/test/test.arj ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004] Processing archive: chris/test/test.arj Archive created: 2004-10-11 12:22:42, modified: 2004-10-11 12:22:42 Error (13): Permission denied Can't open ../usr/local/bin/test.txt OK to extract to a new filename? Break signaled! chris@chris:/home$ sudo ./chris/test/arj x chris/test/test.arj ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004] Processing archive: chris/test/test.arj Archive created: 2004-10-11 12:22:42, modified: 2004-10-11 12:22:42 Extracting ../../usr/local/bin/test.txt to ../usr/local/bin/test.txt OK 1 file(s) chris@chris:/home$ sudo ./chris/test/arj x chris/test/test.arj ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004] Processing archive: chris/test/test.arj Archive created: 2004-10-11 12:22:42, modified: 2004-10-11 12:22:42 ARJ 13 04-10-11 12:21:48, DISK 13 04-10-11 12:21:48 ../usr/local/bin/test.txt is same or newer, Overwrite? Break signaled! chris@chris:/home$ ls -l /usr/local/bin/test.txt -rw-r--r-- 1 root root 13 2004-10-11 12:21 /usr/local/bin/test.txt -------------------------------------- I found a copy of unarj [2.63] and repeated the same test (using unarj). It tried to extract with "../../" where arj had only used "../". "unarj" had one other difference from "arj" that I noticed. When it encountered a file that already existed, it automatically skipped extraction of that file. On a side-note, ARJ is more of a dos/windows archiving format. I had assumed that noone in their right mind would run this tool as root on an archive that they had not created. Every *nix package format that I can find is based off of tar/gzip or the RPM file format. I guess there is always a possibility that someone will run unarj as root, though. -- Chris Umphres <http://daga.dyndns.org/> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- unarj dir-transversal bug (../../../..) doubles (Oct 11)
- Re: unarj dir-transversal bug (../../../..) Chris Umphress (Oct 11)
- <Possible follow-ups>
- Re: unarj dir-transversal bug (../../../..) doubles (Oct 11)
- Re: unarj dir-transversal bug (../../../..) Chris Umphress (Oct 11)
- Re: unarj dir-transversal bug (../../../..) evilninja (Oct 11)
- Re: unarj dir-transversal bug (../../../..) Chris Umphress (Oct 11)
- Re: unarj dir-transversal bug (../../../..) evilninja (Oct 12)
- Re: unarj dir-transversal bug (../../../..) Chris Umphress (Oct 12)
- Re: unarj dir-transversal bug (../../../..) Christian Kujau (Oct 12)
- Re: unarj dir-transversal bug (../../../..) Chris Umphress (Oct 11)
- Re: unarj dir-transversal bug (../../../..) evilninja (Oct 12)
- Re: unarj dir-transversal bug (../../../..) Cedric Blancher (Oct 12)
- Re: [OT] unarj dir-transversal bug (../../../..) evilninja (Oct 12)
- Re: unarj dir-transversal bug (../../../..) Harry de Grote (Oct 12)