[NT] ZipGenius Directory Traversal

From: SecuriTeam (support_at_securiteam.com)
Date: 03/23/05

  • Next message: SecuriTeam: "[UNIX] eSupport Cross Site Scripting" 
    To: list@securiteam.com
Date: 23 Mar 2005 19:30:21 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      ZipGenius Directory Traversal
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.zipgenius.it> ZipGenius is a file compression suite that
    supports more than 20 formats of compressed archives including RAR, ARJ,
    ACE, CAB, SQX and ZIP. It's free and easy to use."

    ZipGenius does not check before it unpacks a file, if the filename has
    "../" in its name. This makes it possible to create a malicious ZIP file
    that creates files in arbitrary folders.

    DETAILS

    Vulnerable Systems:
     * ZipGenius version 5.5

    Immune Systems:
     * ZipGenius version 6 Beta

    It's easy to create a malicious Zip file with some UNIX tools as seen in
    the following example:
     $ touch ..o..o..o..o..o..o..ofile
     $ zip malicious.zip ..o..o..o..o..o..o..ofile
     $ ht malicious.zip #Hexadecimal editor to change 'o' by '/' on the
    filename.
     $ touch dummy
     $ zip malicious.zip dummy #To recalculate CRC.

    If you try to overwrite an existing file, ZipGenius shows a confirmation
    message, this can be avoided by creating new files. Further by placing
    them in the startup files folder the newly created file will get executed
    upon the user's next login.

    Disclosure Timeline:
     * 02.01.05 - Vulnerability discovered
     * 10.01.05 - Mail sent to zginfo@zipgenius.it
     * 16.01.05 - Mail sent to zginfo@zipgenius.it again
     * 18.01.05 - Vendor response
     * 20.01.05 - Fixed in beta version
     * 02.02.05 - Advisory public release

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:ripe@7a69ezine.org> Albert
    Puigsech Galicia.
    The original article can be found at:
    <http://www.7a69ezine.org/avisos/propios>
    http://www.7a69ezine.org/avisos/propios

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] eSupport Cross Site Scripting"

    Relevant Pages