Bug#838248: unadf: details of CVE-2016-1243 and CVE-2016-1244
Hi,
Here's details of these vulnerabilities for the curious:
CVE-2016-1243
=============
void extractTree(struct Volume *vol, struct List* tree, char *path, unsigned char *extbuf,
BOOL pflag, BOOL qflag)
{
struct Entry* entry;
char *buf;
char sysbuf[200];
while(tree) {
entry = (struct Entry*)tree->content;
if (entry->type==ST_DIR) {
buf = NULL;
if (strlen(path)>0) {
buf=(char*)malloc(strlen(path)+1+strlen(entry->name)+1);
if (!buf) return;
sprintf(buf,"%s%c%s",path,DIRSEP,entry->name);
sprintf(sysbuf,"%s %s",MKDIR,buf);
Here, sysbuf can be caused to overflow for example by giving an .adf
archive which has a file with very long name and/or path.
CVE-2016-1244
=============
When unadf extracts .adf file, it creates directory paths by executing
mkdir via system(), but does not sanitize pathname strings in any
way. If the user can be tricked to extract specially crafted .adf
file, the attacker can execute arbitrary code with privileges of the
user.
As a proof of concept, I have crafted a file which executes 'ls' when
unpacked by vulnerable unadf: http://tmp.tjjr.fi/boom.adf
Action log:
$ unadf boom.adf
unADF v1.0 : a unzip like for .ADF files, powered by ADFlib (v0.7.11a - January 20th, 2007)
Device : Floppy DD. Cylinders = 80, Heads = 2, Sectors = 11. Volumes = 1
Volume : Floppy 880 KBytes, "Work" between sectors [0-1759]. OFS . Filled at 0.3%.
x - somedir;ls/
adflib.dsw AUTHORS.txt boom.adf CHANGES.txt debian Docs dynunadf.dsp FilesToInstall Lib README.txt somedir staticunadf.dsp
adfwrapper.h Bin Boot COPYING.txt Demo dynlib.dsp Faq gen_spec.sh Makefile snip.c staticlib.dsp
--
Tuomas
Reply to: