TUGZip Archive Extraction Directory traversal
- To: support@xxxxxxxxxxx, "bugs@xxxxxxxxxxxxxxxxxxx" <bugs@xxxxxxxxxxxxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "content-editor@xxxxxxxxxxxxxxxxx" <content-editor@xxxxxxxxxxxxxxxxx>, "editor@xxxxxxxxxxxxxxxxx" <editor@xxxxxxxxxxxxxxxxx>, "expert@xxxxxxxxxxxxxx" <expert@xxxxxxxxxxxxxx>, "news-editor@xxxxxxxxxxxxxxxxx" <news-editor@xxxxxxxxxxxxxxxxx>, "vuldb@xxxxxxxxxxxxxxxxx" <vuldb@xxxxxxxxxxxxxxxxx>, "vuln@xxxxxxxxxxx" <vuln@xxxxxxxxxxx>, "webmaster@xxxxxxxxxxx" <webmaster@xxxxxxxxxxx>, "webmaster@xxxxxxxxxxxxxxxxx" <webmaster@xxxxxxxxxxxxxxxxx>
- Subject: TUGZip Archive Extraction Directory traversal
- From: h e <het_ebadi@xxxxxxxxx>
- Date: Mon, 10 Apr 2006 04:35:05 -0700 (PDT)
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=pIQhyS6gz66fzBRPxToJcyP3WE/QAQMHd6zWnC8ZdOEYaXnDArQA/IPwm2z0TS3QEHRRBAz99VH4yF1duaT1bv3njnb9i/WAh0uKJLblGL8tH/mGWF2OrruL/1XArh7iXrQdovzZuealtLBajKwFajoDPWlRCci2xBQm5mgKDhA= ;
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
TUGZip Archive Extraction Directory traversal
TUGZip is a powerful award-winning freeware archiving
utility for Windows® that provides support for a wide
range of compressed, encoded and disc-image files, as
well as many other very powerful features; all through
an easy to use application interface and Windows
Explorer integration.
Supports ZIP, 7-ZIP, A, ACE, ARC, ARJ, BH, BZ2, CAB,
CPIO, DEB, GCA, GZ, IMP, JAR, LHA (LZH), LIB, RAR,
RPM, SQX, TAR, TGZ, TBZ, TAZ, YZ1 and ZOO archives.
Create 7-ZIP, BH, BZ2, CAB, JAR, LHA (LZH), SQX, TAR,
TGZ, YZ1 and ZIP archives.
http://www.tugzip.com
Credit:
The information has been provided by Hamid Ebadi and
Claus Berghammer
( Hamid Network Security Team) : admin[at]hamid[.]ir
Claus Berghammer : office(at)cb-computerservice(dot)at
The original article can be found at :
http://hamid.ir/security
Vulnerable Systems:
TUGZip 3.4.0.0 , TUGZip 3.3.0.0 , TUGZip 3.1.0.2
Detail :
The vulnerability is caused due to an input validation
error when extracting files compressed with GZ (*.gz),
JAR(*.jar), RAR(*.rar), ZIP(*.zip) .
This makes it possible to have files extracted to
arbitrary locations outside the specified directory
using the "../" directory traversal sequence.
Do not extract untrusted RAR and JAR and ZIP and GZ
files.
To reduce the risk, never extract files as an
administrative user.
harmless exploit:
use HEAP [Hamid Evil Archive Pack]
you can download it from Hamid Network Security Team :
http://www.hamid.ir/tools/
want to know more ?
http://www.hamid.ir/paper
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com