by Tan Chew Keong
Release Date: 2013-05-31
[en] [jp]
Summary
An archive extraction directory traversal vulnerability has been found in RbigSoft Easy Unrar, Unzip & Zip. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.
Tested Versions
Details
This advisory discloses an archive extaction directory traversal vulnerability in RbigSoft Easy Unrar, Unzip & Zip. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.
When extacting compressed files from an archive, the extraction functionality does not properly sanitise compressed files that have directory traversal sequences in their filenames. By tricking a user to extract a specially crafted archive containing files with directory traversal sequences in their filenames, an attacker can write files to arbitrary locations within the SD card of the user's Android device, possibly overwriting the user's existing files.
For example, a malicious archive can contain a compressed file with the following filename:
/../../../../../../../../mnt/sdcard/DCIM/zipPOC.txt
POC / Test Code
Please download the POC ZIP archive here and follow the instructions below. Note that other archive types are potentially also affected.
Instructions for testing Directory Traversal in Archive Extraction:
- Copy the POC ZIP archive into the Download directory of your Android device.
- IMPORTANT: Ensure that the /mnt/sdcard/DCIM/ directory exists on your Android device in order for the POC to work.
- Extract the POC ZIP archive into the Download directory. i.e. select the POC ZIP file and click on the "Extract all here" button while in the Download directory.
- When the extraction completes, navigate to the /mnt/sdcard/DCIM directory. You'll notice that zipPOC.txt has been extracted into /mnt/sdcard/DCIM/zipPOC.txt instead of into /mnt/sdcard/Download/zipPOC.txt.
Hence, by tricking a user to extract a specially-crafted archive, an attacker can potentially exploit this issue to write files into arbitrary locations within the SD card in the user's Android device, or to overwrite files in known locations within the SD card.
For example, an attacker who is aware of the filenames of the user's photo in the /mnt/sdcard/DCIM/ directory can exploit this vulnerability to overwrite the user's photo files.
Patch / Workaround
Avoid extacting untrusted archives.
Disclosure Timeline
2013-05-20 - Vulnerability Discovered.
2013-05-21 - Initial Vendor Notification (no reply).
2013-05-23 - Second Vendor Notification (no reply).
2013-05-26 - Third Vendor Notification (no reply).
2013-05-28 - Fourth Vendor Notification (no reply).
2013-05-31 - Public Release.