Date: Mon, 23 Feb 2015 16:12:54 -0500 (EST) From: cve-assign@...re.org To: ch3root@...nwall.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: cabextract -- directory traversal -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Use CVE-2015-2060 for this issue in which directory traversal occurs because the unpatched code does neither of the following: - checking for slashes after decoding - checking for ordinary slashes before decoding and prohibiting overlong encodings >> What happens if the .cab archive contains only one file, and \/tmp/abs >> is the filename? > $ ls *abs > \tmp\abs Thanks very much for this additional analysis. This seems to be an absolute path traversal for the current Cygwin version of cabextract (1.4-1). In other words, typing "cabextract test.cab" in Cygwin64 Terminal creates %SYSTEMDRIVE%\tmp\abs within the machine's Windows filesystem, at least if %SYSTEMDRIVE%\tmp already exists. Because Cygwin is specifically advertised as an available platform on the http://www.cabextract.org.uk/ page, it appears that this should be considered a separate vulnerability and fixed. > the code seems to be accurate in this regard We think you mean that there's no traversal on Linux because \tmp\abs is simply a filename within the current directory. Do you agree that there should be a CVE for the %SYSTEMDRIVE%\tmp\abs outcome with Cygwin? Finally, here's additional discussion (which is probably unimportant and can be skipped) about whether \tmp\abs is an appropriate outcome on Linux. Essentially, creating \tmp\abs in response to \/tmp/abs seems to be undocumented and potentially dangerous, but we don't (yet) know of any realistic scenario in which it would be exploitable. http://www.cabextract.org.uk/#usage says "cabextract will extract all files in all cabinets to the current directory, preserving any internal directory structure." If the filename \/tmp/abs is found, this would seem to imply that a pathname of \/tmp/abs should be created under the current directory (i.e., create a directory named \ and then create a directory named tmp and then create a plain file named abs). Instead, the code guesses that the user wants something entirely different: a plain file named \tmp\abs in the top level of the current directory. A security problem would occur if the current directory is unsafe, but the \ directory tree is safe. Specifically, suppose that the current directory is a production directory used as an argument to a program similar to run-parts (not run-parts itself, but another program that executes every script -- regardless of name or permissions -- within a single directory). Also, the \ directory tree happens to be used for working copies of scripts that are not yet validated for production. The threat model is that the user obtains a valid .cab file that was created elsewhere with other tools, and is sure that it contains an intended \/tmp/abs filename. Then, the user runs cabextract and is surprised to see the "wrong" filename and resulting code execution. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU65dbAAoJEKllVAevmvmsWQQH/jNyIG6RqCmtJnz221QJg1NP sCOu3mmj3NwdUeyADYr+bKxTFZxpeTRbfxHozfEDDZm7lEqp6ksbRGk2XGQAPrR9 SPAwd4avo7S/hcoZ7mQK5lkaeCsxrTHkuI+lkNlJVLHP9sQ/omR4qtuWNfmj6ifH PkP0KgSoLfF4Ky7AyI7Xi3Jhryptdz3IG5hyDa/eCuLs3k6AG5gQF1uWN2D2zmsN Hnx4dDfHuhXQXX5MMYty+B0YVvFHPLoqaNrdUJWcxPYOZHRKwnhrt9AF5eTbXbah PkJ7mB+V0gl+BqXN9zjrmsnXkEakdA5ksy/xDgIaF6mJ1qCcVerr/DvdKWNMVqI= =PnB3 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.