7a69Adv#21 - WinRAR unpack one-folder path disclosure
- ------------------------------------------------------------------
7a69ezine Advisories 7a69Adv#21
- ------------------------------------------------------------------
http://www.7a69ezine.org [02/02/2005]
- ------------------------------------------------------------------
Title: WinRAR unpack one-folder path disclosure
Author: Albert Puigsech Galicia - <ripe@xxxxxxxxxxxxx>
Software: WinRAR
Versions: >= 3.42
Remote: yes
Exploit: yes
Severity: Low
- ------------------------------------------------------------------
I. Introduction.
WinRAR is an archive manager that can create and decompress ZIP, RAR and
other files. You can download this software and get more info about it from
http://www.rarlab.com.
II. Description.
WinRAR adds some options to unpack files directly using left-click. The
option of extracting files directly in the directory allows you to store the
files ina a directory that takes the same name of the compressed file but
without the extension, so if the filename is '...zip' and you use this option
the uncompressed data will be stored on "../" folder.
III. Exploit
It's realy hard to exploit this issue in a real scenario, because you can't
know where the malicious file will. But, for example, if it's on 'C:/temp'
you can create any file on the root filesystem.
Windows does not allow to create a files with the apropiate name to exploit
the vulnerability, but you can use other sistem to do it.
IV. Patch
No oficial patch avaliable. Be careful unpacking untrusted files.
V. Timeline
02/01/2005 - Bug discovered
16/01/2005 - Mail sent to dev@xxxxxxxxxx
16/01/2005 - Fast vendor response
02/02/2005 - Advisor released
VI. Extra data
You can find more 7a69ezine advisories on this following link:
http://www.7a69ezine.org/avisos/propios [spanish info]