Insecure Chaining of Flags T and TT
Bug #1916081 reported by
Mal
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
zip (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Description:
In Zip for Linux, the “-TT” flag can be used to run arbitrary system commands. Due to the dangerous nature of this flag, it must always be used at the same time as the “-T” flag. By using a flag chaining attack, attackers that should only be able to insert just 1 flag in a zip command can insert both the “-T” and “-TT” flag and potentially execute malicious code.
Proof of Concept and in depth explanation can be found in the attached PDF file.
To post a comment you must log in.
Hello, interesting finding; everything in here appears to be working as documented, so I'm not sure that there's a real security issue to be addressed in info-zip -- though it does seem like the -TT flag is perhaps a very niche need.
Have you discussed this with the info-zip developers yet?
I think opening this publicly would be the best approach for this issue. May we open it?
Thanks