[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

7a69Adv#20 - ZipGenius unpack one-folder path disclosure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: 7a69Adv#20 - ZipGenius unpack one-folder path disclosure
From: Albert Puigsech Galicia <ripe@xxxxxxxxxxxxx>
Date: Wed, 2 Feb 2005 08:19:38 +0000

- ------------------------------------------------------------------
       7a69ezine Advisories                      7a69Adv#20
- ------------------------------------------------------------------
  http://www.7a69ezine.org                            [02/02/2005]
- ------------------------------------------------------------------

Title:        ZipGenius unpack one-folder path disclosure

Author:       Albert Puigsech Galicia - <ripe@xxxxxxxxxxxxx>

Software:     ZipGenius

Versions:     >= 5.5

Remote:       yes

Exploit:      yes

Severity:     Low

- ------------------------------------------------------------------



I. Introduction.

 ZipGenius is a file compression suite that supports more than 20 formats of 
compressed archives including RAR, ARJ, ACE, CAB, SQX and ZIP. It's free and 
easy to use, and you can download it from http://www.zipgenius.it.



II. Description.


 Zipgenius adds some options to unpack files directly using left-click. The 
option of extracting files directly in the directory allows you to store the 
files ina a directory that takes the same name of the compressed file but 
without the extension, so if the filename is '...zip' and you use this option 
the uncompressed data will be stored on "../" folder.



III. Exploit

 It's realy hard to exploit this issue in a real scenario, because you can't 
know where the malicious file will. But, for example, if it's on 'C:/temp' 
you can create any file on the root filesystem.

 Windows does not allow to create a files with the apropiate name to exploit 
the vulnerability, but you can use other sistem to do it.
 


IV. Patch

 Update to ZipGenius 6 Beta.
 

V. Timeline

02/01/2005  -  Bug discovered
10/01/2005  -  Mail sent to zginfo@xxxxxxxxxxxx
16/01/2005  -  Mail sent to zginfo@xxxxxxxxxxxx again
18/01/2005  -  Vendor response
20/01/2005  -  Solved in beta version
02/02/2005  -  Advisor released



VI. Extra data

 You can find more 7a69ezine advisories on this following link:

    http://www.7a69ezine.org/avisos/propios [spanish info]

Prev by Date: [ GLSA 200502-02 ] UW IMAP: CRAM-MD5 authentication bypass
Next by Date: [SIG^2 G-TEC] DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities
Previous by thread: [ GLSA 200502-02 ] UW IMAP: CRAM-MD5 authentication bypass
Next by thread: [SIG^2 G-TEC] DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities
Index(es):
- Date
- Thread