Date: Mon, 29 Jun 2020 17:05:08 -0400 From: Dennis Goodlett <dennis@...ricanelabs.com> To: oss-security@...ts.openwall.com Subject: default behavior in unzip more dangerous then -^ I want to bring attention to default behavior of unzip on Linux. I consider its current behavior unexpected and potentially dangerous. # Unzip without -^ argument By default unzip removes special characters from file names. This can result in files being renamed or overwritten. In some circumstances this could result in remote code execution. Consider the case of a LAMP server that prevents users from uploading files with a ".php" extension. If the system administrator restores or refreshes the directory with unzip, he needs to use the "-^" flag to keep from creating a ".php" file. See the following example: ``` $ ls uploads/ |grep "php" #### no php files in uploads $ zip ./z.zip ./uploads/* adding: uploads/index.^[p^[h^[p (stored 0%) $ unzip z.zip Archive: z.zip extracting: uploads/index.php $ ls uploads/ |grep "php" #### unzip created index.php index.php ``` Another example shows that files can be overwritten. While this example uses "-f", the results would be the same without "-f" due to the order of the files. ``` $ cat uploads/old_file OLD $ zip z.zip uploads/* adding: uploads/old_file (stored 0%) adding: uploads/old_file^[ (stored 0%) $ unzip -fo z.zip Archive: z.zip extracting: uploads/old_file $ cat uploads/old_file NEW INJECTED ``` # My Opinion I consider the file name "/e\x1btc/\x1bshadow" dangerous because some program might mishandle the name and overwrite "/etc/shadow". The unzip utility agrees so the default behavior will change "/e\x1btc/\x1bshadow" into "/etc/shadow". # Potential Changes/fixes Personally, I would prefer unzip to act like 7z and just extract the given name without changes. Just updating unzip this way could cause problems for some people that rely on the sanitization behavior. A better solution would be to skip the extraction of files that have special characters in their name. This is the current philosophy when encountering directory traversal. # Thank You Thanks to Seth Arnold from Ubuntu's security team for pointing out the "-^" argument to me. -- Dennis Goodlett Hurricane Labs Cell: (216) 218-1372 GIT: https://github.com/swoops http://hurricanelabs.com (@hurricanelabs) EOF -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.