Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 23 Feb 2015 16:12:54 -0500 (EST)
From: cve-assign@...re.org
To: ch3root@...nwall.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: cabextract -- directory traversal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Use CVE-2015-2060 for this issue in which directory traversal occurs
because the unpatched code does neither of the following:

  - checking for slashes after decoding
  - checking for ordinary slashes before decoding and prohibiting
    overlong encodings

>> What happens if the .cab archive contains only one file, and \/tmp/abs
>> is the filename?

> $ ls *abs
> \tmp\abs

Thanks very much for this additional analysis. This seems to be an
absolute path traversal for the current Cygwin version of cabextract
(1.4-1). In other words, typing "cabextract test.cab" in Cygwin64
Terminal creates %SYSTEMDRIVE%\tmp\abs within the machine's Windows
filesystem, at least if %SYSTEMDRIVE%\tmp already exists. Because
Cygwin is specifically advertised as an available platform on the
http://www.cabextract.org.uk/ page, it appears that this should be
considered a separate vulnerability and fixed.

> the code seems to be accurate in this regard

We think you mean that there's no traversal on Linux because \tmp\abs
is simply a filename within the current directory. Do you agree that
there should be a CVE for the %SYSTEMDRIVE%\tmp\abs outcome with
Cygwin?

Finally, here's additional discussion (which is probably unimportant
and can be skipped) about whether \tmp\abs is an appropriate outcome
on Linux.

Essentially, creating \tmp\abs in response to \/tmp/abs seems to be
undocumented and potentially dangerous, but we don't (yet) know of any
realistic scenario in which it would be exploitable.
http://www.cabextract.org.uk/#usage says "cabextract will extract all
files in all cabinets to the current directory, preserving any
internal directory structure." If the filename \/tmp/abs is found,
this would seem to imply that a pathname of \/tmp/abs should be
created under the current directory (i.e., create a directory named \
and then create a directory named tmp and then create a plain file
named abs). Instead, the code guesses that the user wants something
entirely different: a plain file named \tmp\abs in the top level of
the current directory.

A security problem would occur if the current directory is unsafe, but
the \ directory tree is safe. Specifically, suppose that the current
directory is a production directory used as an argument to a program
similar to run-parts (not run-parts itself, but another program that
executes every script -- regardless of name or permissions -- within a
single directory). Also, the \ directory tree happens to be used for
working copies of scripts that are not yet validated for production.
The threat model is that the user obtains a valid .cab file that was
created elsewhere with other tools, and is sure that it contains an
intended \/tmp/abs filename. Then, the user runs cabextract and is
surprised to see the "wrong" filename and resulting code execution.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU65dbAAoJEKllVAevmvmsWQQH/jNyIG6RqCmtJnz221QJg1NP
sCOu3mmj3NwdUeyADYr+bKxTFZxpeTRbfxHozfEDDZm7lEqp6ksbRGk2XGQAPrR9
SPAwd4avo7S/hcoZ7mQK5lkaeCsxrTHkuI+lkNlJVLHP9sQ/omR4qtuWNfmj6ifH
PkP0KgSoLfF4Ky7AyI7Xi3Jhryptdz3IG5hyDa/eCuLs3k6AG5gQF1uWN2D2zmsN
Hnx4dDfHuhXQXX5MMYty+B0YVvFHPLoqaNrdUJWcxPYOZHRKwnhrt9AF5eTbXbah
PkJ7mB+V0gl+BqXN9zjrmsnXkEakdA5ksy/xDgIaF6mJ1qCcVerr/DvdKWNMVqI=
=PnB3
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.