BID:13291

CPIO Filename Directory Traversal Vulnerability

Info

CPIO Filename Directory Traversal Vulnerability

Bugtraq ID:	13291
Class:	Input Validation Error
CVE:	CVE-2005-1229
Remote:	Yes
Local:	No
Published:	Apr 20 2005 12:00AM
Updated:	Dec 18 2007 08:05PM
Credit:	Discovery of this issue is credited to Imran Ghory <[email protected]>.
Vulnerable:	Turbolinux Turbolinux Workstation 8.0 Turbolinux Turbolinux Workstation 7.0 Turbolinux Turbolinux Server 8.0 Turbolinux Turbolinux Server 7.0 Turbolinux Turbolinux Desktop 10.0 Turbolinux Turbolinux 10 F... Turbolinux Home Turbolinux Appliance Server Workgroup Edition 1.0 Turbolinux Appliance Server Hosting Edition 1.0 Turbolinux Appliance Server 1.0 Workgroup Edition Turbolinux Appliance Server 1.0 Hosting Edition Trustix Secure Linux 2.2 Trustix Secure Linux 2.1 Trustix Secure Enterprise Linux 2.0 SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE Linux Enterprise Server 9 SuSE Linux Desktop 1.0 SCO Unixware 7.1.4 SCO Unixware 7.1.3 up SCO Unixware 7.1.3 SCO Open Server 6.0 SCO Open Server 5.0.7 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. Open-Enterprise-Server 9.0 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 9.3 x86_64 S.u.S.E. Linux Professional 9.3 S.u.S.E. Linux Professional 9.2 x86_64 S.u.S.E. Linux Professional 9.2 S.u.S.E. Linux Professional 9.1 x86_64 S.u.S.E. Linux Professional 9.1 S.u.S.E. Linux Professional 9.0 x86_64 S.u.S.E. Linux Professional 9.0 S.u.S.E. Linux Professional 8.2 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 9.3 x86_64 S.u.S.E. Linux Personal 9.3 S.u.S.E. Linux Personal 9.2 x86_64 S.u.S.E. Linux Personal 9.2 S.u.S.E. Linux Personal 9.1 x86_64 S.u.S.E. Linux Personal 9.1 S.u.S.E. Linux Personal 9.0 x86_64 S.u.S.E. Linux Personal 9.0 S.u.S.E. Linux Personal 8.2 Mandriva Linux Mandrake 10.2 x86_64 Mandriva Linux Mandrake 10.2 Mandriva Linux Mandrake 10.1 x86_64 Mandriva Linux Mandrake 10.1 Mandriva Linux Mandrake 10.0 AMD64 Mandriva Linux Mandrake 10.0 Mandriva Linux Mandrake 2008.0 x86_64 Mandriva Linux Mandrake 2008.0 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 2.1 x86_64 MandrakeSoft Corporate Server 2.1 MandrakeSoft Corporate Server 4.0 GNU gzip 1.3.5 + Debian Linux 3.1 sparc + Debian Linux 3.1 s/390 + Debian Linux 3.1 ppc + Debian Linux 3.1 mipsel + Debian Linux 3.1 mips + Debian Linux 3.1 m68k + Debian Linux 3.1 ia-64 + Debian Linux 3.1 ia-32 + Debian Linux 3.1 hppa + Debian Linux 3.1 arm + Debian Linux 3.1 alpha + Debian Linux 3.1 GNU gzip 1.3.4 GNU gzip 1.3.3 GNU gzip 1.2.4 a GNU gzip 1.2.4 + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 IA-32 + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k + Redhat Linux 6.1 sparc + Redhat Linux 6.1 i386 + Redhat Linux 6.1 alpha + Redhat Linux 6.0 sparc + Redhat Linux 6.0 alpha + Redhat Linux 6.0 + Redhat Linux 5.2 sparc + Redhat Linux 5.2 i386 + Redhat Linux 5.2 alpha + Slackware Linux 8.0 + Slackware Linux 7.1 + Slackware Linux 7.0 + Sun Solaris 8_x86 + Sun Solaris 8_sparc GNU cpio 2.6 + Gentoo Linux + Mandriva Linux Mandrake 2006.0 x86_64 + Mandriva Linux Mandrake 2006.0 + Mandriva Linux Mandrake 10.2 x86_64 + Mandriva Linux Mandrake 10.2 GNU cpio 2.5 + Debian Linux 3.1 + MandrakeSoft Corporate Server 3.0 x86_64 + MandrakeSoft Corporate Server 3.0 + MandrakeSoft Corporate Server 2.1 x86_64 + MandrakeSoft Corporate Server 2.1 + Mandriva Linux Mandrake 10.1 x86_64 + Mandriva Linux Mandrake 10.1 + Mandriva Linux Mandrake 10.0 AMD64 + Mandriva Linux Mandrake 10.0 + Mandriva Linux Mandrake 9.2 amd64 + Mandriva Linux Mandrake 9.2 + Mandriva Linux Mandrake 9.1 ppc + Mandriva Linux Mandrake 9.1 + Ubuntu Ubuntu Linux 5.10 powerpc + Ubuntu Ubuntu Linux 5.10 i386 + Ubuntu Ubuntu Linux 5.10 amd64 + Ubuntu Ubuntu Linux 5.0 4 powerpc + Ubuntu Ubuntu Linux 5.0 4 i386 + Ubuntu Ubuntu Linux 5.0 4 amd64 + Ubuntu Ubuntu Linux 4.1 ppc + Ubuntu Ubuntu Linux 4.1 ia64 + Ubuntu Ubuntu Linux 4.1 ia32 GNU cpio 2.4.2 FreeBSD FreeBSD 6.0 -STABLE FreeBSD FreeBSD 6.0 -RELEASE FreeBSD FreeBSD 5.4 -RELENG FreeBSD FreeBSD 5.4 -RELEASE FreeBSD FreeBSD 5.4 -PRERELEASE FreeBSD FreeBSD 5.3 -STABLE FreeBSD FreeBSD 5.3 -RELENG FreeBSD FreeBSD 5.3 -RELEASE FreeBSD FreeBSD 5.3 FreeBSD FreeBSD 5.2.1 -RELEASE FreeBSD FreeBSD 5.2 -RELENG FreeBSD FreeBSD 5.2 -RELEASE FreeBSD FreeBSD 5.2 FreeBSD FreeBSD 5.1 -RELENG FreeBSD FreeBSD 5.1 -RELEASE/Alpha FreeBSD FreeBSD 5.1 -RELEASE-p5 FreeBSD FreeBSD 5.1 -RELEASE FreeBSD FreeBSD 5.1 FreeBSD FreeBSD 5.0 -RELENG FreeBSD FreeBSD 5.0 -RELEASE-p14 FreeBSD FreeBSD 5.0 alpha FreeBSD FreeBSD 5.0 FreeBSD FreeBSD 4.11 -STABLE FreeBSD FreeBSD 4.11 -RELENG FreeBSD FreeBSD 4.11 -RELEASE-p3 FreeBSD FreeBSD 4.10 -RELENG FreeBSD FreeBSD 4.10 -RELEASE-p8 FreeBSD FreeBSD 4.10 -RELEASE FreeBSD FreeBSD 4.10 FreeBSD FreeBSD 4.9 -RELENG FreeBSD FreeBSD 4.9 -PRERELEASE FreeBSD FreeBSD 4.9 FreeBSD FreeBSD 4.8 -RELENG FreeBSD FreeBSD 4.8 -RELEASE-p7 FreeBSD FreeBSD 4.8 -PRERELEASE FreeBSD FreeBSD 4.8 FreeBSD FreeBSD 4.7 -STABLE FreeBSD FreeBSD 4.7 -RELENG FreeBSD FreeBSD 4.7 -RELEASE-p17 FreeBSD FreeBSD 4.7 -RELEASE FreeBSD FreeBSD 4.7 FreeBSD FreeBSD 4.6.2 FreeBSD FreeBSD 4.6 -STABLE FreeBSD FreeBSD 4.6 -RELENG FreeBSD FreeBSD 4.6 -RELEASE-p20 FreeBSD FreeBSD 4.6 -RELEASE FreeBSD FreeBSD 4.6 FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07 FreeBSD FreeBSD 4.5 -STABLE FreeBSD FreeBSD 4.5 -RELENG FreeBSD FreeBSD 4.5 -RELEASE-p32 FreeBSD FreeBSD 4.5 -RELEASE FreeBSD FreeBSD 4.5 FreeBSD FreeBSD 4.4 -STABLE FreeBSD FreeBSD 4.4 -RELENG FreeBSD FreeBSD 4.4 -RELENG FreeBSD FreeBSD 4.4 -RELEASE-p42 FreeBSD FreeBSD 4.4 FreeBSD FreeBSD 4.3 -STABLE FreeBSD FreeBSD 4.3 -RELENG FreeBSD FreeBSD 4.3 -RELEASE-p38 FreeBSD FreeBSD 4.3 -RELEASE FreeBSD FreeBSD 4.3 FreeBSD FreeBSD 4.2 -STABLEpre122300 FreeBSD FreeBSD 4.2 -STABLEpre050201 FreeBSD FreeBSD 4.2 -STABLE FreeBSD FreeBSD 4.2 -RELEASE FreeBSD FreeBSD 4.2 FreeBSD FreeBSD 4.1.1 -STABLE FreeBSD FreeBSD 4.1.1 -RELEASE FreeBSD FreeBSD 4.1.1 FreeBSD FreeBSD 4.1 FreeBSD FreeBSD 4.0 .x FreeBSD FreeBSD 4.0 -RELENG FreeBSD FreeBSD 4.0 alpha FreeBSD FreeBSD 4.0 FreeBSD FreeBSD 3.x FreeBSD FreeBSD 2.x FreeBSD FreeBSD -current Avaya Intuity Audix R5 0

Not Vulnerable:

Discussion

CPIO Filename Directory Traversal Vulnerability

The cpio utility is prone to a directory-traversal vulnerability. The issue occurs when cpio is invoked on a malicious archive.

An archive containing an absolute path for a filename that contains '/' characters results in the file getting written using the absolute path contained in the filename.

A remote attacker may leverage this issue using a malicious archive to corrupt arbitrary files with the privileges of the user that is running the vulnerable software.

Exploit / POC

CPIO Filename Directory Traversal Vulnerability

There is no exploit required.

Solution / Fix

CPIO Filename Directory Traversal Vulnerability

Solution:
Please see the references for vendor advisories and fixes.

GNU cpio 2.5

Mandriva cpio-2.5-4.2.100mdk.amd64.rpm
Mandriva Linux 10.0/AMD64
http://www1.mandrivalinux.com/en/ftp.php3

Mandriva cpio-2.5-4.2.100mdk.i586.rpm
Mandriva Linux 10.0
http://www1.mandrivalinux.com/en/ftp.php3

Mandriva cpio-2.5-4.2.C21mdk.i586.rpm
Mandriva Corporate Server 2.1
http://www1.mandrivalinux.com/en/ftp.php3

Mandriva cpio-2.5-4.2.C21mdk.x86_64.rpm
Mandriva Corporate Server 2.1/x86_64
http://www1.mandrivalinux.com/en/ftp.php3

Mandriva cpio-2.5-4.2.C30mdk.i586.rpm
Mandriva Corporate Server 3.0
http://www1.mandrivalinux.com/en/ftp.php3

Mandriva cpio-2.5-4.2.C30mdk.x86_64.rpm
Mandriva Corporate Server 3.0/x86_64
http://www1.mandrivalinux.com/en/ftp.php3

Mandriva cpio-2.5-4.3.101mdk.i586.rpm
Mandriva Linux 10.1
http://www1.mandrivalinux.com/en/ftp.php3

Mandriva cpio-2.5-4.3.101mdk.x86_64.rpm
Mandriva Linux 10.1/x86_64
http://www1.mandrivalinux.com/en/ftp.php3

Mandriva cpio-2.6-3.1.102mdk.i586.rpm
Mandriva Linux 10.2
http://www1.mandrivalinux.com/en/ftp.php3

Mandriva cpio-2.6-3.1.102mdk.x86_64.rpm
Mandriva Linux 10.2/x86_64
http://www1.mandrivalinux.com/en/ftp.php3

Trustix cpio-2.5-10tr.i586.rpm
TSL 2.2
ftp://ftp.trustix.org/pub/trustix/updates

Turbolinux cpio-2.5-5.i586.rpm
Turbolinux 10 Server
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/up dates/RPMS/cpio-2.5-5.i586.rpm

Turbolinux cpio-debug-2.5-5.i586.rpm
Turbolinux 10 Server
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/up dates/RPMS/cpio-debug-2.5-5.i586.rpm

FreeBSD FreeBSD 4.11 -STABLE

FreeBSD cpio.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch

FreeBSD FreeBSD 5.3

FreeBSD cpio.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch

FreeBSD FreeBSD 5.3 -STABLE

FreeBSD cpio.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch

FreeBSD FreeBSD 5.4 -RELENG

FreeBSD cpio.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch

FreeBSD FreeBSD 6.0 -STABLE

FreeBSD cpio.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch

SCO Open Server 6.0

SCO p532911.600_vol.tar
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.2/p532911.600_vol. tar

FreeBSD FreeBSD 6.0 -RELEASE

FreeBSD cpio.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch

SCO Unixware 7.1.4

SCO erg712854.uw714.pkg.Z
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.32/erg712854.uw714.p kg.Z

References

CPIO Filename Directory Traversal Vulnerability

References:

ASA-2005-191 - cpio race condition - (SCOSA-2005.32) (Avaya)
cpio Home Page (GNU)
gzip home page (GNU)
gzip: dir traversal bug when using "gunzip -N" (Ulf Harnhammar )
cpio directory traversal vulnerability (Imran Ghory )
gzip directory traversal vulnerability (Imran Ghory )