Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20200629210508.GB3565@localhost.localdomain>
Date: Mon, 29 Jun 2020 17:05:08 -0400
From: Dennis Goodlett <dennis@...ricanelabs.com>
To: oss-security@...ts.openwall.com
Subject: default behavior in unzip more dangerous then -^

I want to bring attention to default behavior of unzip on Linux. I
consider its current behavior unexpected and potentially dangerous.

# Unzip without -^ argument
By default unzip removes special characters from file names. This can
result in files being renamed or overwritten. In some circumstances this could
result in remote code execution.

Consider the case of a LAMP server that prevents users from uploading
files with a ".php" extension. If the system administrator restores or
refreshes the directory with unzip, he needs to use the "-^" flag to
keep from creating a ".php" file. See the following example:

```
$ ls uploads/ |grep "php" 		#### no php files in uploads
$ zip ./z.zip ./uploads/*
  adding: uploads/index.^[p^[h^[p (stored 0%)
$ unzip z.zip
Archive:  z.zip
 extracting: uploads/index.php
$ ls uploads/ |grep "php" 		#### unzip created index.php
index.php
```

Another example shows that files can be overwritten. While this example uses
"-f", the results would be the same without "-f" due to the order of the files.

```
$ cat uploads/old_file
OLD
$ zip z.zip uploads/*
adding: uploads/old_file (stored 0%)
adding: uploads/old_file^[ (stored 0%)
$ unzip -fo z.zip
Archive:  z.zip
extracting: uploads/old_file
$ cat uploads/old_file
NEW INJECTED
```

# My Opinion
I consider the file name "/e\x1btc/\x1bshadow" dangerous because some program
might mishandle the name and overwrite "/etc/shadow". The unzip utility agrees
so the default behavior will change "/e\x1btc/\x1bshadow" into "/etc/shadow".

# Potential Changes/fixes
Personally, I would prefer unzip to act like 7z and just extract the given name
without changes. Just updating unzip this way could cause problems for some
people that rely on the sanitization behavior.

A better solution would be to skip the extraction of files that have special
characters in their name. This is the current philosophy when encountering
directory traversal.

# Thank You
Thanks to Seth Arnold from Ubuntu's security team for pointing out the
"-^" argument to me.

-- 
Dennis Goodlett
Hurricane Labs
Cell: (216) 218-1372
GIT: https://github.com/swoops
http://hurricanelabs.com (@hurricanelabs)
EOF

-- 



This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed. If you have received this email in error please notify the 
system manager. This message contains confidential information and is 
intended only for the individual named. If you are not the named addressee 
you should not disseminate, distribute or copy this e-mail. Please notify 
the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. If you are not the 
intended recipient you are notified that disclosing, copying, distributing 
or taking any action in reliance on the contents of this information is 
strictly prohibited.

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.