Multiple vendor file archivers file extraction directory traversal

archive-extraction-directory-traversal (10224)

Medium Risk

Description:

Multiple vendor file archivers (GNU tar, Info-Zip UnZip, PKWare PKZIP, and RARsoft RAR) are vulnerable to a directory traversal that could allow an attacker to overwrite and create files on the system. If an archived file contains "dot dot" sequences or other path specifying characters in the file name, a local attacker could traverse directories on the system when the archive is extracted and overwrite and corrupt files or create Trojans on the system.

Platforms Affected:

• Conectiva, Linux 6.0
• Conectiva, Linux 7.0
• Conectiva, Linux 8.0
• EngardeLinux, Secure Linux
• Gentoo, Linux
• Info-ZIP, UnZip 5.42 and prior
• MandrakeSoft, Mandrake Linux 7.1
• MandrakeSoft, Mandrake Linux 7.2
• MandrakeSoft, Mandrake Linux 8.0
• MandrakeSoft, Mandrake Linux 8.0 PPC
• MandrakeSoft, Mandrake Linux 8.1
• MandrakeSoft, Mandrake Linux 8.1 IA64
• MandrakeSoft, Mandrake Linux 8.2 PPC
• MandrakeSoft, Mandrake Linux 8.2
• MandrakeSoft, Mandrake Linux 9.0
• MandrakeSoft, Mandrake Linux Corporate Server 1.0.1
• MandrakeSoft, Mandrake Single Network Firewall 7.2
• OpenPKG, OpenPKG 2-STABLE
• OpenPKG, OpenPKG CURRENT
• OpenPKG, OpenPKG Enterprise E1.0-SOLID
• PKWARE, PKZIP 4.00
• RARSoft, RAR 2.02 and prior
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 3 WS
• RedHat, Enterprise Linux 3 Desktop
• RedHat, Enterprise Linux 3 AS
• RedHat, Enterprise Linux 3 ES
• RedHat, Linux 6.2
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.1 for iSeries
• RedHat, Linux 7.1 for pSeries
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• RedHat, Linux Advanced Workstation 2.1 Itanium
• SuSE, SuSE Linux

Remedy:

For GNU tar 1.13.19 and earlier:
Upgrade to the latest version of tar (1.13.25 or later), available from the GNU FTP site. See References.

For UnZip 5.42 and earlier:
Upgrade to the latest version of UnZip (5.50 or later), available from the Info-ZIP Web site. See References.

For Red Hat Linux (tar):
Refer to RHSA-2006:0195-8 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux containing the tar packages:
Upgrade to the latest sys-apps/tar package, as listed in Gentoo Linux Security Announcement 2002-10-01 12:30 UTC. See References.

For Gentoo Linux containing the unzip packages:
Upgrade to the latest app-arch/uzip package, as listed in Gentoo Linux Security Announcement 2002-10-01 10:30 UTC. See References.

For EnGarde Secure Linux Community Edition:
Upgrade to the latest tar package (1.13.25-1.0.5 or later), as listed in EnGarde Secure Linux Security Advisory ESA-20021003-022. See References.

For Mandrake Linux:
Upgrade to the latest unzip packages, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2002:065 : unzip for more information. See References.

Linux-Mandrake 7.1, 7.2, 8.0, 8.1, 8.2, Corporate Server 1.0.1 and Single Network Firewall 7.2: 5.50-2.1mdk or later

For Mandrake Linux:
Upgrade to the latest tar packages, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2002:066 : tar for more information. See References.

Linux-Mandrake 7.1, 7.2, 8.0, 8.1, 8.2, 9.0, Corporate Server 1.0.1 and Single Network Firewall 7.2: 1.13.25-6.2mdk or later

For Conectiva Linux:
Upgrade to the latest tar and unzip packages, as listed below. Refer to Conectiva Linux Announcement CLSA-2002:538 for more information. See References.

tar:
Conectiva Linux 6.0: 1.13.25-1U60_1cl or later
Conectiva Linux 7.0: 1.13.25-1U70_1cl or later
Conective Linux 8.0: 1.13.25-2U80_1cl or later

unzip:
Conectiva Linux 6.0: 5.50-1U60_1cl or later
Conectiva Linux 7.0: 5.50-1U70_1cl or later
Conectiva Linux 8.0: 5.50-1U80_1cl or later

For SUSE Linux (star):
Refer to SUSE-SR:2007:019 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

File Manipulation

References:

• BugTraq Mailing List, Thu Sep 26 2002 - 19:11:07 CDT, Allot Netenforcer problems, GNU TAR flaw at http://archives.neohapsis.com/archives/bugtraq/2002-09/0331.html.
• CIAC Information Bulletin N-041, Sun Linux Vulnerabilities in "unzip" and GNU "tar" Commands at http://www.ciac.org/ciac/bulletins/n-041.shtml.
• Conectiva Linux Announcement CLSA-2002:538, tar/unzip at http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0009.html.
• EnGarde Secure Linux Security Advisory ESA-20021003-022, tar: directory traversal vulnerability. at http://archives.neohapsis.com/archives/bugtraq/2002-10/0032.html.
• Full-Disclosure Mailing List, Tue Oct 01 2002 - 05:38:05 CDT, GLSA: unzip at http://archives.neohapsis.com/archives/fulldisclosure/2002-q3/1413.html.
• Gentoo Linux Security Announcement 2002-10-01 12:30 UTC, tar: directory-traversal vulnerability at http://archives.neohapsis.com/archives/bugtraq/2002-09/0351.html.
• GNU FTP site, gnu/tar/ at ftp://alpha.gnu.org/gnu/tar/.
• Info-ZIP Web site, InfoZIP's UnZip at http://www.info-zip.org/pub/infozip/UnZip.html.
• PKWARE Inc. Web site, PKWARE - Home of Genuine PKZIP Products at http://www.pkware.com.
• SECURITY.NNOV Advisory July, 2, 2001, Directory traversal and path globbing in multiple archivers at http://www.security.nnov.ru/advisories/archdt.asp.
• Sun Alert ID: 47800, Sun Linux Vulnerabilities in "unzip" and GNU "tar" During File Extraction at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F47800&zone_32=category%3Asecurity.
• ASA-2006-110: tar security update (RHSA-2006-0195)
• BID-3024: GNU Tar Hostile Destination Path Vulnerability
• BID-5834: GNU Tar Hostile Destination Path Variant Vulnerability
• BID-5835: Info-ZIP UnZip Hostile Destination Path Vulnerability
• BID-5933: PKWare PKZip Hostile Destination Path Vulnerability
• CVE-2001-1267: Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows local users to overwrite arbitrary files during archive extraction via a tar file whose filenames contain a .. (dot dot).
• CVE-2001-1268: Directory traversal vulnerability in Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename.
• CVE-2001-1269: Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via filenames in the archive that begin with the '/' (slash) character.
• CVE-2001-1270: Directory traversal vulnerability in the console version of PKZip (pkzipc) 4.00 and earlier allows attackers to overwrite arbitrary files during archive extraction with the -rec (recursive) option via a .. (dot dot) attack on the archived files.
• CVE-2001-1271: Directory traversal vulnerability in rar 2.02 and earlier allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) attack on archived filenames.
• CVE-2002-0399: Directory traversal vulnerability in GNU tar 1.13.19 through 1.13.25, and possibly later versions, allows attackers to overwrite arbitrary files during archive extraction via a (1) /.. or (2) ./.. string, which removes the leading slash but leaves the .., a variant of CVE-2001-1267.
• CVE-2002-1216: GNU tar 1.13.19 and other versions before 1.13.25 allows remote attackers to overwrite arbitrary files via a symlink attack, as the result of a modification that effectively disabled the security check.
• CVE-2005-1918: The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an incorrect optimization that allows user-assisted attackers to overwrite arbitrary files via a crafted tar file, probably involving /../ sequences with a leading /.
• MDKSA-2002:065: Updated unzip packages fix directory traversal vulnerability
• MDKSA-2002:066: Updated tar packages fix directory traversal vulnerability
• MDKSA-2003:024: Updated packages fix multiple vulnerabilities
• OpenPKG-SA-2006.038: GNU tar
• RHSA-2002-096: Updated unzip and tar packages fix vulnerabilities
• RHSA-2002-138: unzip security update
• RHSA-2003-218: Updated unzip and tar packages that fix vulnerabilities are now available
• RHSA-2006-0195: tar security update
• SA20397: Avaya Products "tar" Directory Traversal Vulnerability
• SECTRACK ID: 1015655: Tar on Red Hat Enterprise Linux Lets Remote Users Write Files
• SUSE-SR:2006:005: SUSE Security Summary Report
• SUSE-SR:2007:019: SUSE Security Summary Report

Reported:

Jul 02, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page