Ubuntu
zip package

Insecure Chaining of Flags T and TT

Bug #1916081 reported by Mal
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
zip (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Description:
In Zip for Linux, the “-TT” flag can be used to run arbitrary system commands. Due to the dangerous nature of this flag, it must always be used at the same time as the “-T” flag. By using a flag chaining attack, attackers that should only be able to insert just 1 flag in a zip command can insert both the “-T” and “-TT” flag and potentially execute malicious code.

Proof of Concept and in depth explanation can be found in the attached PDF file.

Revision history for this message
Mal (mal-aware) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello, interesting finding; everything in here appears to be working as documented, so I'm not sure that there's a real security issue to be addressed in info-zip -- though it does seem like the -TT flag is perhaps a very niche need.

Have you discussed this with the info-zip developers yet?

I think opening this publicly would be the best approach for this issue. May we open it?

Thanks

Changed in zip (Ubuntu):
status: New → Confirmed
Revision history for this message
Mal (mal-aware) wrote :

Hi Seth,

I did not find a way to get in touch with the Info-Zip team. The contact form at "http://infozip.sourceforge.net/zip-bug.html" seems to be broken.

If you know of any other way to contact them then I would gladly try again.

If the info-zip team will not be successfully reached by the end of the next week (26/02/2021), or they will consider this to be a non-security issue, I also consider that the best way to move forward will be to make this issue public.

Have a nice day,
Mal

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Mal, I don't know any other way to contact the Info-Zip team. Did your attempt with the form return a direct error message or has there just been no reply yet?

Thanks

Revision history for this message
Mal (mal-aware) wrote :

The form "indirectly" results in an error after a redirect to another site.

The mail(s) may have been sent regardless of the error, that is why I suggested waiting until 26/02/2021, and if no reply is received we will proceed with making the project public.

If you have any other idea/recommendation/questions, I'm all ears.

Have a nice weekend,
Mal

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I'm out of ideas, I like your plan to wait a bit to hope the form worked. Have a nice weekend!

Thanks

Revision history for this message
Mal (mal-aware) wrote :

Hi Seth,

No reply was received from Info-Zip.

Can you do the honours of making the bug "public" or "public security"?

Thanks,
Mal

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Done, thanks Mal.

information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.