- ------------------------------------------------------------------ 7a69ezine Advisories 7a69Adv#19 - ------------------------------------------------------------------ http://www.7a69ezine.org [02/02/2005] - ------------------------------------------------------------------ Title: ZipGenius unpack path disclosure Author: Albert Puigsech Galicia - <ripe@xxxxxxxxxxxxx> Software: ZipGenius Versions: >= 5.5 Remote: yes Exploit: yes Severity: Medium-High - ------------------------------------------------------------------ I. Introduction. ZipGenius is a file compression suite that supports more than 20 formats of compressed archives including RAR, ARJ, ACE, CAB, SQX and ZIP. It's free and easy to use, and you can download it from http://www.zipgenius.it. II. Description. ZipGenius does not check before unpacks if the file has "../" on its name, concecuently it's posible to create a malicious ZIP file that allocate files on arbitary folders. Other formats instead ZIP may be also afected. III. Exploit If you try to overwrite a file ZipGenius shows a confirmation message, so it's better for explotation purposes to create new files, but It's not a problem to execute arbitrari code because you can create, for example, startup files on 'C:\Documents and settings\All Users\Start menu\Programs\Start' that will be executed after next user's login. It's easy to create a malicious Zip file with some UNIX tools as seen in the following sample: $ touch ..o..o..o..o..o..o..ofile $ zip malicious.zip ..o..o..o..o..o..o..ofile $ ht malicious.zip #Hexadecimal editor to change 'o' by '/' on the filename. $ touch dummy $ zip malicious.zip dummy #To recalculate CRC. If you don't know how to do it you can use the ZIP file attached to check the vulnerability. IV. Patch Update to ZipGenius 6 Beta. V. Timeline 02/01/2005 - Bug discovered 10/01/2005 - Mail sent to zginfo@xxxxxxxxxxxx 16/01/2005 - Mail sent to zginfo@xxxxxxxxxxxx again 18/01/2005 - Vendor response 20/01/2005 - Solved in beta version 02/02/2005 - Advisor released VI. Extra data You can find more 7a69ezine advisories on this following link: http://www.7a69ezine.org/avisos/propios [spanish info]
Attachment:
malicious.zip
Description: Zip archive