WinAce Archiver v2.6 Directory traversal

To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, support@xxxxxxxxxxx, "content-editor@xxxxxxxxxxxxxxxxx" <content-editor@xxxxxxxxxxxxxxxxx>, "editor@xxxxxxxxxxxxxxxxx" <editor@xxxxxxxxxxxxxxxxx>, "expert@xxxxxxxxxxxxxx" <expert@xxxxxxxxxxxxxx>, "news-editor@xxxxxxxxxxxxxxxxx" <news-editor@xxxxxxxxxxxxxxxxx>, "vuldb@xxxxxxxxxxxxxxxxx" <vuldb@xxxxxxxxxxxxxxxxx>, "vuln@xxxxxxxxxxx" <vuln@xxxxxxxxxxx>, "webmaster@xxxxxxxxxxx" <webmaster@xxxxxxxxxxx>, "webmaster@xxxxxxxxxxxxxxxxx" <webmaster@xxxxxxxxxxxxxxxxx>
Subject: WinAce Archiver v2.6 Directory traversal
From: h e <het_ebadi@xxxxxxxxx>
Date: Fri, 24 Feb 2006 05:58:57 -0800 (PST)
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=01fu11HTuhF3f/6FJFGMP2McVPLnDl2XtgbIbbPUQC1EVCumc6Pgms0uEXGpXDPnL7Py4T0Bs7ZfxLUqqICbFcAAO2oorP1ZzZuWqA6H6/MmL1QiKwE2f6nFtSVcUePJj4ZtWgYu8wzzCFEekVQsuYJAWaEK+tXsPiPDt3JcYYY= ;
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

WinAce Archiver v2.6  Directory traversal 
ACE Cmpression Software & e-merge GmbH 
http://www.winace.com

Credit:
The information has been provided by Hamid Ebadi
( Hamid Network Security Team) : admin@xxxxxxxxx
The original article can be found at :
http://hamid.ir/security

Vulnerable Systems:
WinAce Archiver v2.6 and Below

Detail :
Directory traversal while extracting (.RAR),(.TAR)

What is  Directory traversal in archivers?

that allowed one to create malicous archive files,
which would overwrite system files or place dangerous
files in defined directory(example :shell.php in
wwwroot directory)
This could be abused by sending an archive to a local
user who would unzip / untar an archive, the archive
would then be able to overwrite any file to which the
user has write permissions, thus it could also be
abused if a system ran som antivirus software which
automatically opened archive files.

harmless exploit:
use HEAP [Hamid Evil Archive Pack]
you can find it from Hamid Network Security Team:

http://www.hamid.ir/tools/

want to know more ?
http://www.hamid.ir/paper

Signature
 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Prev by Date: Archive_Tar v 1.2(Tested) (Tar file management class) Directory traversal
Next by Date: StuffIt and ZipMagic Family of products Directory traversal
Previous by thread: Archive_Tar v 1.2(Tested) (Tar file management class) Directory traversal
Next by thread: StuffIt and ZipMagic Family of products Directory traversal
Index(es):
- Date
- Thread