mailing list archives
unace-1.2b multiple buffer overflows and directory traversal bugs
From: Ulf Härnhammar <Ulf.Harnhammar.9485 () student uu se>
Date: Tue, 22 Feb 2005 23:59:35 +0100
I have found multiple security vulnerabilities in unace-1.2b. (It is
the last free version. The later versions are just binaries for the
x86 processor, which is unhelpful if you want to use free software or
if your computer has a non-x86 processor.)
There are two buffer overflows when extracting, testing or listing
specially prepared ACE archives. They are caused by wrong usage of
strncpy() with the third parameter coming from the archive. In both
cases, the attacker controls the EIP register.
There are also two buffer overflows when (a) dealing with long (>15600
characters) command line arguments for archive names, and (b) when
preparing a string for printing Ready for next volume messages.
Furthermore, there are directory traversal bugs when extracting ACE
archives. They are both of the absolute ("/etc/nologin") and the relative
All buffer overflows have the identifier CAN-2005-0160, and the directory
traversal bugs have the identifier CAN-2005-0161.
I have attached a ZIP archive containing some test archives and a patch.
I wrote a small Perl script to create the test archives, after having
read ACE.txt. I didn't have the time to create archives that work on
unace-2.x, so I haven't really tested whether later versions of unace
are vulnerable to any of these bugs.
The vendor and the distributors have been contacted, and the 22nd of
February was agreed upon as the release date.
// Ulf Härnhammar for the Debian Security Audit Project
Run this to get my new e-mail address:
lynx -source http://slashdot.org/ | head -n1 | sed -e 's%".*$%%' \
-e 'y%TC!%aa#%' -e 's%UB%te%g' -e 'y%<ODP%#emr%' -e 's%E H.*r% %' \
-e 's%#%%g' -e 's%$%com%' -e 's%aa*%ta%' -e 'y%IYL%iul%'
Full-Disclosure - We believe in it.
- unace-1.2b multiple buffer overflows and directory traversal bugs Ulf Härnhammar (Feb 22)