- ------------------------------------------------------------------ 7a69ezine Advisories 7a69Adv#20 - ------------------------------------------------------------------ http://www.7a69ezine.org [02/02/2005] - ------------------------------------------------------------------ Title: ZipGenius unpack one-folder path disclosure Author: Albert Puigsech Galicia - <ripe@xxxxxxxxxxxxx> Software: ZipGenius Versions: >= 5.5 Remote: yes Exploit: yes Severity: Low - ------------------------------------------------------------------ I. Introduction. ZipGenius is a file compression suite that supports more than 20 formats of compressed archives including RAR, ARJ, ACE, CAB, SQX and ZIP. It's free and easy to use, and you can download it from http://www.zipgenius.it. II. Description. Zipgenius adds some options to unpack files directly using left-click. The option of extracting files directly in the directory allows you to store the files ina a directory that takes the same name of the compressed file but without the extension, so if the filename is '...zip' and you use this option the uncompressed data will be stored on "../" folder. III. Exploit It's realy hard to exploit this issue in a real scenario, because you can't know where the malicious file will. But, for example, if it's on 'C:/temp' you can create any file on the root filesystem. Windows does not allow to create a files with the apropiate name to exploit the vulnerability, but you can use other sistem to do it. IV. Patch Update to ZipGenius 6 Beta. V. Timeline 02/01/2005 - Bug discovered 10/01/2005 - Mail sent to zginfo@xxxxxxxxxxxx 16/01/2005 - Mail sent to zginfo@xxxxxxxxxxxx again 18/01/2005 - Vendor response 20/01/2005 - Solved in beta version 02/02/2005 - Advisor released VI. Extra data You can find more 7a69ezine advisories on this following link: http://www.7a69ezine.org/avisos/propios [spanish info]
