Christian Kindahl TUGZip 多个目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195444 漏洞类型 路径遍历
发布时间 2006-04-11 更新时间 2007-06-26
CVE编号 CVE-2006-1715 CNNVD-ID CNNVD-200604-152
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://cxsecurity.com/issue/WLB-2006040021
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-152
|漏洞详情
ChristianKindahlTUGZip3.4.0.0、3.3.0.0及3.1.0.2中存在目录遍历漏洞。这使得用户辅助攻击者可以借助于具有精心设计的(1).gz、(2).jar、(3).rar或(4).zip文件(档案包中的‘..’)在任意目录中创建文件。(dotdot)inanarchivepackwithacrafted(1).gz,(2).jar,(3).rar,or(4).zipfile.
|漏洞EXP
TUGZip Archive Extraction Directory traversal 
TUGZip is a powerful award-winning freeware archiving
utility for Windows® that provides support for a wide
range of compressed, encoded and disc-image files, as
well as many other very powerful features; all through
an easy to use application interface and Windows
Explorer integration. 
Supports ZIP, 7-ZIP, A, ACE, ARC, ARJ, BH, BZ2, CAB,
CPIO, DEB, GCA, GZ, IMP, JAR, LHA (LZH), LIB, RAR,
RPM, SQX, TAR, TGZ, TBZ, TAZ, YZ1 and ZOO archives. 
Create 7-ZIP, BH, BZ2, CAB, JAR, LHA (LZH), SQX, TAR,
TGZ, YZ1 and ZIP archives. 
 
http://www.tugzip.com

Credit:
The information has been provided by Hamid Ebadi and
Claus Berghammer

( Hamid Network Security Team) : admin[at]hamid[.]ir 
Claus Berghammer : office(at)cb-computerservice(dot)at

The original article can be found at :
http://hamid.ir/security

Vulnerable Systems:
TUGZip 3.4.0.0 , TUGZip 3.3.0.0 , TUGZip 3.1.0.2

Detail :

The vulnerability is caused due to an input validation
error when extracting files compressed with GZ (*.gz),
JAR(*.jar), RAR(*.rar), ZIP(*.zip) .
This makes it possible to have files extracted to
arbitrary locations outside the specified directory
using the "../" directory traversal sequence.

Do not extract untrusted  RAR and JAR and ZIP and GZ
files.
To reduce the risk, never extract files as an
administrative user.

harmless exploit:
use HEAP [Hamid Evil Archive Pack]
you can download it from Hamid Network Security Team :

http://www.hamid.ir/tools/

want to know more ?
http://www.hamid.ir/paper
|参考资料

来源:XF
名称:tugzip-archive-directory-traversal(25713)
链接:http://xforce.iss.net/xforce/xfdb/25713
来源:BID
名称:17432
链接:http://www.securityfocus.com/bid/17432
来源:BUGTRAQ
名称:20060410TUGZipArchiveExtractionDirectorytraversal
链接:http://www.securityfocus.com/archive/1/archive/1/430433/100/0/threaded
来源:MISC
链接:http://www.hamid.ir/security/tugzip.txt
来源:SREASON
名称:686
链接:http://securityreason.com/securityalert/686