Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: unarj dir-transversal bug (../../../..)
From: Chris Umphress <umphress () gmail com>
Date: Mon, 11 Oct 2004 20:30:00 -0700

evil () sheep:~$ unarj x test.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [27 Jun 2004]

Processing archive: test.arj
Archive created: 2004-10-12 01:15:49, modified: 2004-10-12 01:15:49
usr/bin/namei, Create this directory? Yes
Extracting ../usr/bin/namei           to usr/bin/namei               OK
     1 file(s)

so it's not taking all the ../ into account and also an .arj created with
full path is created in $PWD. arj + unarj are both v3.10.

Good point. I tried extracting again with 3.10, and it only leaves the
one "../" on the front.

...somehow i don't expect programs to mess with /usr. not as a user and
not as root.

I just picked /usr, it could have been /etc, /var or any other
standard directory that every *nix distribution has. Regardless, if I
try to make unarj write to a directory that I don't have the
neccessary permissions for, it asks me to pick an alternate location
to extract to.

/me wonders about which version of arj/unarj "doubles" is talking about....

I don't see a problem, but it would be interesting to see which
version "doubles" is refering to.

Chris Umphres <http://daga.dyndns.org/>

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]