Unreal Commander解压zip及rar压缩文件目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113500 漏洞类型 路径遍历
发布时间 2007-08-23 更新时间 2007-10-29
CVE编号 CVE-2007-4545 CNNVD-ID CNNVD-200708-437
漏洞平台 Multiple CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/30521
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-437
|漏洞详情
UnrealCommander是一款免费的Windows平台文件管理器。UnrealCommander在解压文件时存在多个安全漏洞,攻击者可能通过诱使用户处理恶意文件控制用户系统。如果用户使用UnrealCommander解压了文件名包含有类似于以下目录遍历序列的ZIP或RAR文档的话:Something/../../../../../../ProgramFiles/Something/ws2_32.dll就会导致在指定目录中创建ws2_32.dll文件。ZIP文档中包含有两处写入文件名的位置:Local文件头和CentralDirectory。如果ZIP文件的文件头包含有畸形文件大小的话,UnrealCommander就会写入堆中文件数据,可能允许泄露敏感信息。
|漏洞EXP
source: http://www.securityfocus.com/bid/25419/info

Unreal Commander is prone to multiple remote vulnerabilities when handling malformed ZIP and RAR archives. These vulnerabilities include a directory-traversal vulnerability, an information-disclosure vulnerability, and a filename-spoofing vulnerability.

An attacker can exploit these issues to compromise the affected computer, overwrite arbitrary files, and obtain sensitive information. Exploits of these issues may lead to other attacks.

Unreal Commander 0.92 (build 565) and 0.92 (build 573) are vulnerable; prior versions may also be affected. 

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/30521-1.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/30521-2.zip
|参考资料

来源:BID
名称:25419
链接:http://www.securityfocus.com/bid/25419
来源:BUGTRAQ
名称:20070823X-DieselUnrealCommanderv0.92(build573)multiplevulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/477432/100/0/threaded
来源:SREASON
名称:3060
链接:http://securityreason.com/securityalert/3060
来源:SECUNIA
名称:26583
链接:http://secunia.com/advisories/26583