by Tan Chew Keong
Release Date: 2013-07-11
[en] [jp]
Summary
An archive extraction directory traversal vulnerability has been found in WinZip for Android. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.
Tested Versions
Details
This advisory discloses an archive extraction directory traversal vulnerability in WinZip for Android. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.
When extacting compressed files from an archive, the extraction functionality does not properly sanitise compressed files that have directory traversal sequences in their filenames. By tricking a user to extract a specially crafted archive containing files with directory traversal sequences in their filenames, an attacker can write files to arbitrary locations within the SD card of the user's Android device, possibly overwriting the user's existing files.
For example, a malicious archive can contain a compressed file with the following filename:
/../../../../../../../../mnt/sdcard/DCIM/zipPOC.txt
POC / Test Code
Please download the POC here and follow the instructions below.
Instructions for Testing the Vulnerability (Test Case 1):
- Copy the POC ZIP archive into the /mnt/sdcard/Download directory of your Android device.
- IMPORTANT: Ensure that the /mnt/sdcard/DCIM/ directory exists on your Android device in order for the POC to work.
- Extract the POC ZIP archive into the /mnt/sdcard/Download directory. i.e. tap and hold on to the POC ZIP file until the action selection pop-up appears, then select the "Unzip here" option.
- When the extraction completes, navigate to the /mnt/sdcard/DCIM directory. You'll notice that zipPOC.txt has been extracted into /mnt/sdcard/DCIM/zipPOC.txt instead of into /mnt/sdcard/Download/winzip110POC/zipPOC.txt.
Instructions for Testing the Vulnerability (Test Case 2):
- View this web-page from an Android device that has WinZip installed.
- Download the POC ZIP archive directly from this web-page using the Android device.
- After the download completes, the POC ZIP archive will be automatically opened by WinZip.
- Use a file manager software to navigate to the /mnt/sdcard/DCIM directory. You'll notice that zipPOC.txt has been automatically extracted into /mnt/sdcard/DCIM/zipPOC.txt
Hence, by tricking a user to extract or download a specially-crafted archive, an attacker can potentially exploit this issue to write files into arbitrary locations within the SD card in the user's Android device, or to overwrite files in known locations within the SD card.
For example, an attacker who is aware of the filenames of the user's photo in the /mnt/sdcard/DCIM/ directory can exploit this vulnerability to overwrite the user's photo files.
Patch / Workaround
Update to version 1.1.1.
Disclosure Timeline
2013-06-13 - Vulnerability Discovered.
2013-06-14 - Vulnerability Details Sent to Vendor.
2013-07-09 - Asked vendor when fixed version will be released.
2013-07-10 - Vendor replied that fixed version has been released to Google Play.
2013-07-11 - Public Release.