Well I didn't think this was worth a post before, but its been ages since the last post, so its about time something got stuck up here. So I bring you my handy tip of the moment: Zip traversal.
Sometimes you come across a system that allows upload in zip format to save bandwidth. The zip file is then decompressed by the system after upload. Anywhere there's file upload should get your arbitrary file upload senses tingling, but unfortunately it (hopefully) does the same to developers. The upload destination folder may not allow execution, have any mappings to run web scripts or may be outside of the webroot if a website is being targeted.
But depending how the unzip routine used by the application works, there may yet be a way to upload files to arbitrary locations. By editing a zip file to give certain files in the archive names that start with a series of "../" you can traverse back up to the root of the file system and then specify whatever path you feel like. This can be done, for example, by zipping a file with a long file name and editing the zip file in a hex editor, changing the extra letters of the file name to ../ as needed.
This of course depends on the local file permissions and the user the unzipping process runs under. It also depends if the unzip algorithm detects the dangerous behaviour or allows it, as some background unzipping processes do.
So there it is, my tip of the moment. Nothing impressive, but kind of nifty. And maybe we will wake up some other bloggers :)
Wednesday, July 2, 2008
Subscribe to:
Post Comments (Atom)
3 comments:
Do you know if the php unzip stuff ( http://uk.php.net/manual/en/ref.zip.php ) is vulnerable to this?
I tested it with ZipArchive::extractTo on php 5.2.0 and it will extract with ../ relative paths without blinking. I didn't check the lower level zip functions because it looked a bit like work and its sunday night hehe. But php tends to obey ../ in paths in most places, so it probably still is. Of course we should always mind our ../'s especially in php, but easy to miss it when its hidden in an archive!
Though at work with zip files there is good tool-repairing broken zip,I said about it,because program has many other facilities,also it is free as far as I can see,yet tool can save a lot of free space on your HDD, when applied to files, that are used rarely,program is so easy to use, that it does not require any technical skills, anyone, who knows Windows interface, can work with this tool,supports Windows 98, Windows Me, Windows NT 4.0, Windows 2000, Windows XP, Windows XP SP2, Windows 2003 and Windows Vista,program is very powerful, it contains several different algorithms, developed in our company, for accurate data recovery,repair zip file broken and repair broken zip file does not modify source file during the process, so, you can take it and try to recover with any other Zip repair service and compare the results.
Post a Comment