Computer Security
[EN] no-pyccku

Related information

  Directory traversal and absolute path in multiple archivers

  rPSA-2007-0172-1 tar

  BitZipper Archive Extraction Directory traversal

  TUGZip Archive Extraction Directory traversal

  [SA19511] KGB Archiver Directory Traversal Vulnerability

From:3APA3A <3APA3A_(at)>
Subject:SECURITY.NNOV: directory traversal and path globbing in multiple archivers


Topic:                    Directory traversal and path globbing in
                         multiple archivers
Author:                   3APA3A <[email protected]>
Affected Software:        GNU tar <= 1.13.19, Info-Zip UnZip <= 5.42,
                         RARSoft rar <= 2.02, PKWare pkzipc <= 4.00
Not affected:             rar 2.80, WinZIP 8.0
Risk:                     low/average
Released:                 July, 2, 2001
SECURITY.NNOV advisories:


Archive  extraction  is  usually treated by users as a safe operation.
There are few problems with files extraction though.


Among  them:  huge  files with high compression ratio are able to fill
memory/disk  (see  "Antivirus scanner DoS with zip archives" thread on
Vuln-Dev),  special device names and special characters in file names,
directory  traversal  (dot-dot  bug). Probably, directory traversal is
most  dangerous  among  this  bugs, because it allows to craft archive
which  will  trojan  system  on  extraction. This problem is known for
software  developers,  and  newer  archivers usually have some kind of
protection.  But  in  some  cases  this  protection is weak and can be
bypassed.  I did very quick (approx. 30 minutes, so may be I've missed
something) researches on few popular archivers. Results are below.

Detailed info:

GNU tar (all platforms):

tar  below  1.13.19  including  latest  releases  has  no any ".." or
absolute  path  protection.  Tar development team was contacted. They
replied  they're  aware  of  problem  and current development version
1.13.19  implements  some  kind of protection but it doesn't work for
most  cases  due  to  bug in coding. Exploitation scenario was passed
back  to  development  team. I hope it will work then 1.13.19 will be
finally  released.  See  attached  patch (tar-1.13.19.patch). 1.13.19
sources can be obtained from

Info-Zip's UnZip (all platforms):

all  versions  have neither .. nor absolute path protection. No reply
from vendor. See attached patch (unzip-5.42.patch).

PKWare's PKZip (Windows):

console  version was tested. It's vulnerable, if archive is extracted
with  -rec (recursive) option. If this option is not given archive is
extracted without directory structure. All versions up to latest 4.00
are  vulnerable.  Program  is shareware, no sources available. Vendor
contacted, still in work. Status of patch unknown.

RARsoft (Eugene Roshal's) RAR (all platforms):

Directory  traversal  protection  was  implemented  in rar 2.02. This
protection  can  be bypassed. Eugene Roshal was contacted and replied
latest  version of rar (2.80) is absolutely safe. It's true, but 2.02
is latest available version in most Unix ports (2.80 is available for
Windows  and Linux, you can use Linux version if your system supports
Linux  emulation). Program is shareware, no sources available. Status
of patch unknown.

WinZip (Windows):

Behavior  is  close  to  ideal. Console version doesn't extract files
with  ".."  until  special  switch  is not selected, windowed version
warns user on ".." about possible impacts of such extraction.


Exploitation  of  path globbing and directory traversal under Windows
exploitation  is  trivial.  On  most unix system to exploit directory
traversal  you should guess level of directory file will be extracted
to.  tar  and  rar are able to create files with permission different
from  umask,  it  makes  it  possible to create executables. Only tar
overwrites target files without prompt by default.

Demo archives can be found on


List  content  of  archive  before extraction if archive was obtained
from  untrusted source (but have in mind that name of the file can be
with  something  like  ../^H^H^H  -  do not trust your eyes, use some
program).  Never automate archive extraction, or use jail if you need
automation.  Be  sure  never  run  extraction from user with elevated


Wait  for  vendor  patch  or  use checked archivers or apply attached
patches on your own risk.

       { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
You know my name - look up my number (The Beatles)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod