Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Directory traversal vulnerability in zziplib 0.13.69 #62

Open
92wyunchao opened this issue Sep 25, 2018 · 5 comments
Open

Directory traversal vulnerability in zziplib 0.13.69 #62

92wyunchao opened this issue Sep 25, 2018 · 5 comments

Comments

@92wyunchao
Copy link

92wyunchao commented Sep 25, 2018

Directory traversal vulnerability in zziplib 0.13.69 allows attackers to overwrite arbitrary files via a .. (dot dot) in an zip file.
$unzzip-mem evil.zip
evil.zip

Relevant code in function unzzip_cat in Unzzipcat-mem.c:
static int unzzip_cat (int argc, char ** argv, int extract)
{
......
if (argc == 2)
{ /* print directory list /
ZZIP_MEM_ENTRY
entry = zzip_mem_disk_findfirst(disk);
DBG2("findfirst %p\n", entry);
for (; entry ; entry = zzip_mem_disk_findnext(disk, entry))
{
char name = zzip_mem_entry_to_name (entry);*
FILE* out = stdout;
if (extract) out = create_fopen(name, "wb", 1); //no checkout here
if (! out) {
if (errno != EISDIR) {
DBG3("can not open output file %i %s", errno, strerror(errno));
done = EXIT_ERRORS;
}
continue;
}
unzzip_mem_disk_cat_file (disk, name, out);
if (extract) fclose(out);
}
}
......
}

static FILE* create_fopen(char* name, char* mode, int subdirs)
{
if (subdirs)
{
char* p = strrchr(name, '/');
if (p) {
char* dir_name = _zzip_strndup(name, p-name);
makedirs(dir_name);
free (dir_name);
}
}
return fopen(name, mode);
}

static void unzzip_mem_disk_cat_file(ZZIP_MEM_DISK* disk, char* name, FILE* out)
{
ZZIP_DISK_FILE* file = zzip_mem_disk_fopen (disk, name);
if (file)
{
char buffer[1025]; int len;
while ((len = zzip_mem_disk_fread (buffer, 1, 1024, file)))
{
fwrite (buffer, 1, len, out);
}
zzip_mem_disk_fclose (file);
}
}

@jmoellers
Copy link
Contributor

jmoellers commented Oct 4, 2018

Other "zip/unzip" programs just delete any "../" components from the path. Should zziplib do the same?
Added note: I'm not sure about this, as this would then unintendedly over-write yet another file!
Simply drop any pathname containing "../" or add an option to allow "../" in extracted pathnames?
NB This issue also exists in the other unzzipcat-*.c files!

@jmoellers
Copy link
Contributor

Proposed solution:
static inline void
remove_dotdotslash(char path)
{
/
Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */
char *dotdotslash;
int warned = 0;

dotdotslash = path;
while ((dotdotslash = strstr("../", dotdotslash)) != NULL)
{
    /*
     * Remove only if at the beginning of the pathname ("../path/name")
     * or when preceded by a slash ("path/../name"),
     * otherwise not ("path../name..")!
     */
    if (dotdotslash == path || dotdotslash[-1] == '/')
    {
        char *src, *dst;
        if (!warned)
        {
            /* Note: the first time through the pathname is still intact */
            fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path);
            warned = 1;
        }
        /* We cannot use strcpy(), as there "The strings may not overlap" */
        for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src+, dst++)
            ;
    }
    else
        dotdotslash +=3;	/* skip this instance to prevent infinite loop */
}

}
then insert "remove_dotdotslash(dir_name);" before "makedirs(dir_name)".

@jmoellers
Copy link
Contributor

#63

gdraheim added a commit that referenced this issue Oct 4, 2018
@jamartis
Copy link
Contributor

Hey, unzip-mem (single z) seems to have the same problem.
patch.txt

@0-wiz-0
Copy link

0-wiz-0 commented Nov 23, 2024

https://nvd.nist.gov/vuln/detail/CVE-2018-17828 points to this ticket, and it seems to have open questions. Can you please fix this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants