Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 93079 - games-util/dzip is vulnerable to directory traversals
Summary: games-util/dzip is vulnerable to directory traversals
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2? [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-18 08:44 UTC by Stefan Cornelius (RETIRED)
Modified: 2005-06-06 11:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
PoC exploit (PoC.dz,81 bytes, application/octet-stream)
2005-05-18 08:48 UTC, Stefan Cornelius (RETIRED)
no flags Details
dzip-2.9-scrub-names.patch (dzip-2.9-scrub-names.patch,1.92 KB, patch)
2005-05-19 18:38 UTC, SpanKY
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Cornelius (RETIRED) gentoo-dev 2005-05-18 08:44:45 UTC
dzip is vulnerable to a directory traversal attack when unpacking specially crafted .dz files.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-05-18 08:48:23 UTC
Created attachment 59225 [details]
PoC exploit

1. Get the PoC.dz file
2. Extract, like here:
bash-2.05b$ ./dzip -x PoC.dz
PoC.dz created using v2.9
extracting ./../../exploited_file
3. 2 directories up, you can find a file called exploit_file with a "w0000t"
string in it
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-05-18 09:13:06 UTC
Stefan, could you make sure upstream is alive and aware of this ?
Comment 3 Mr. Bones. (RETIRED) gentoo-dev 2005-05-18 09:18:22 UTC
so.... you can overwrite your own files with a special .dz file?
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2005-05-18 09:23:32 UTC
Contacted one of the upstream guys.

Mr.Bones.: no, overwriting most likely won't work
"./../../exploited_file exists; will not overwrite"
Comment 5 Mr. Bones. (RETIRED) gentoo-dev 2005-05-18 09:28:15 UTC
So what's the exploit?
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2005-05-18 09:29:43 UTC
dzip offers an option to force the overwriting of files, so if an attacker
tricks a user to use this option, files will be overwritten.
Comment 7 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-18 09:47:00 UTC
Mr Bones: directory traversal is the exploit, ie you send someone a file that 
creates ../../../../../../../../home/foo/.profile, if you google for "tar 
directory traversal" or "zip directory traversal" and so on you can see some 
examples in other archiving utilities.
Comment 8 Mr. Bones. (RETIRED) gentoo-dev 2005-05-18 10:27:25 UTC
I'm not impressed.  rm has some neat options that if you can trick a user into
using can cause massive data lose as well.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-05-18 11:46:44 UTC
I tend to agree that if it doesn't overwrite files unless a specific option is
provided it could be considered WONTFIX/DUMB_USER_REQUIRED_TO_EXPLOIT. That
said, we issued GLSAs for worse than that.
Comment 10 Stefan Cornelius (RETIRED) gentoo-dev 2005-05-19 08:18:35 UTC
<DerCorny> are you going to patch it?
<@Radix37> probably eventually... i already have a lot of new things in an
unfinished new version
Comment 11 SpanKY gentoo-dev 2005-05-19 18:38:52 UTC
Created attachment 59339 [details, diff]
dzip-2.9-scrub-names.patch

seems to work for me ... please review
Comment 12 Stefan Cornelius (RETIRED) gentoo-dev 2005-05-19 19:58:15 UTC
Patch seems fine so far.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-05-20 10:49:27 UTC
Auditors, please have a look at the patch...
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-05-29 12:50:51 UTC
SpanKY: Tavis had a look and likes it. Please push it in the ebuild.
Comment 15 SpanKY gentoo-dev 2005-05-29 15:47:34 UTC
done, and stabilized for x86
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-05-30 00:52:30 UTC
Ready for GLSA
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-06-06 11:07:50 UTC
GLSA 200506-03