7a69Adv#19 - ZipGenius unpack path disclosure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: 7a69Adv#19 - ZipGenius unpack path disclosure
From: Albert Puigsech Galicia <ripe@xxxxxxxxxxxxx>
Date: Wed, 2 Feb 2005 08:16:47 +0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: 7a69ezine.org
Reply-to: ripe@xxxxxxxxxxxxx
User-agent: KMail/1.7.2

- ------------------------------------------------------------------
       7a69ezine Advisories                      7a69Adv#19
- ------------------------------------------------------------------
  http://www.7a69ezine.org                            [02/02/2005]
- ------------------------------------------------------------------

Title:        ZipGenius unpack path disclosure

Author:       Albert Puigsech Galicia - <ripe@xxxxxxxxxxxxx>

Software:     ZipGenius

Versions:     >= 5.5

Remote:       yes

Exploit:      yes

Severity:     Medium-High

- ------------------------------------------------------------------



I. Introduction.

 ZipGenius is a file compression suite that supports more than 20 formats of 
compressed archives including RAR, ARJ, ACE, CAB, SQX and ZIP. It's free and 
easy to use, and you can download it from http://www.zipgenius.it.



II. Description.

 ZipGenius does not check before unpacks if the file has "../" on its name, 
concecuently it's posible to create a malicious ZIP file that allocate files 
on arbitary folders. Other formats instead ZIP may be also afected.



III. Exploit

 If you try to overwrite a file ZipGenius shows a confirmation message, so 
it's better for explotation purposes to create new files, but It's not a 
problem to execute arbitrari code because you can create, for example, 
startup files on 'C:\Documents and settings\All Users\Start 
menu\Programs\Start' that will be executed after next user's login. 

 It's easy to create a malicious Zip file with some UNIX tools as seen in the 
following sample:

 $ touch ..o..o..o..o..o..o..ofile
 $ zip malicious.zip ..o..o..o..o..o..o..ofile
 $ ht malicious.zip  #Hexadecimal editor to change 'o' by '/' on the filename.
 $ touch dummy
 $ zip malicious.zip dummy  #To recalculate CRC.

 If you don't know how to do it you can use the ZIP file attached to check the 
vulnerability.
 


IV. Patch

 Update to ZipGenius 6 Beta.


V. Timeline

02/01/2005  -  Bug discovered
10/01/2005  -  Mail sent to zginfo@xxxxxxxxxxxx
16/01/2005  -  Mail sent to zginfo@xxxxxxxxxxxx again
18/01/2005  -  Vendor response
20/01/2005  -  Solved in beta version
02/02/2005  -  Advisor released



VI. Extra data

 You can find more 7a69ezine advisories on this following link:

    http://www.7a69ezine.org/avisos/propios [spanish info]

Attachment: malicious.zip
Description: Zip archive

Prev by Date: Limited buffer-overflow in Painkiller 1.35
Next by Date: Re: [Full-Disclosure] [ GLSA 200501-46 ] ClamAV: Multiple issues
Previous by thread: Limited buffer-overflow in Painkiller 1.35
Next by thread: [USN-72-1] Perl vulnerabilities
Index(es):
- Date
- Thread