Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)

From: evilninja (evilninja_at_gmx.net)
Date: 10/12/04

  • Next message: Jesse Valentin: "Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal."
    To: Full-disclosure <full-disclosure@lists.netsys.com>
    Date: Tue, 12 Oct 2004 01:29:40 +0200
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Chris Umphress wrote:
    > chris@chris:~/test$ unarj x test.arj
    > UNARJ (Demo version) 2.30 Copyright (c) 1991 Robert K Jung
    >
    > Processing archive: test.arj
    > Archive date : 2012-11-10 27:44:04
    > Can't open ../../usr/local/bin/test.txt
    > 0 file(s)
    >
    > Found 1 error(s)!

    hm, strange. i have:

    evil@sheep:~$ unarj x test.arj
    ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [27 Jun 2004]

    Processing archive: test.arj
    Archive created: 2004-10-12 01:15:49, modified: 2004-10-12 01:15:49
    usr/bin/namei, Create this directory? Yes
    Extracting ../usr/bin/namei to usr/bin/namei OK
         1 file(s)

    so it's not taking all the ../ into account and also an .arj created with
    full path is created in $PWD. arj + unarj are both v3.10.

    > Apart from it removing one "../" from the filename I gave it, it
    > worked exactly as I expected.

    ...somehow i don't expect programs to mess with /usr. not as a user and
    not as root.

    /me wonders about which version of arj/unarj "doubles" is talking about....

    - --
    BOFH excuse #303:

    fractal radiation jamming the backbone
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (GNU/Linux)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFBaxdjC/PVm5+NVoYRAgBNAJ9tUbGF0NCqM4sIY9mWHsNvGrd9NwCfb+qj
    F+w1GfecVnGP7R0TQoQFC+I=
    =eEJw
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Jesse Valentin: "Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal."

    Relevant Pages