Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

7a69Adv#21 - WinRAR unpack one-folder path disclosure
From: Albert Puigsech Galicia <ripe () 7a69ezine org>
Date: Wed, 2 Feb 2005 08:23:14 +0000
- ------------------------------------------------------------------
       7a69ezine Advisories                      7a69Adv#21
- ------------------------------------------------------------------
  http://www.7a69ezine.org                            [02/02/2005]
- ------------------------------------------------------------------

Title:        WinRAR unpack one-folder path disclosure

Author:       Albert Puigsech Galicia - <ripe () 7a69ezine org>

Software:     WinRAR

Versions:     >= 3.42

Remote:       yes

Exploit:      yes

Severity:     Low

- ------------------------------------------------------------------



I. Introduction.

 WinRAR is an archive manager that can create and decompress ZIP, RAR and 
other files. You can download this software and get more info about it from 
http://www.rarlab.com.



II. Description.


 WinRAR adds some options to unpack files directly using left-click. The 
option of extracting files directly in the directory allows you to store the 
files ina a directory that takes the same name of the compressed file but 
without the extension, so if the filename is '...zip' and you use this option 
the uncompressed data will be stored on "../" folder.



III. Exploit

 It's realy hard to exploit this issue in a real scenario, because you can't 
know where the malicious file will. But, for example, if it's on 'C:/temp' 
you can create any file on the root filesystem.

 Windows does not allow to create a files with the apropiate name to exploit 
the vulnerability, but you can use other sistem to do it.
 


IV. Patch

 No oficial patch avaliable. Be careful unpacking untrusted files.



V. Timeline

02/01/2005  -  Bug discovered
16/01/2005  -  Mail sent to dev () rarlab com
16/01/2005  -  Fast vendor response
02/02/2005  -  Advisor released




VI. Extra data

 You can find more 7a69ezine advisories on this following link:

    http://www.7a69ezine.org/avisos/propios [spanish info]

  By Date           By Thread  

Current thread:
  • 7a69Adv#21 - WinRAR unpack one-folder path disclosure Albert Puigsech Galicia (Feb 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]