Vulnerabilities > CVE-2003-0282
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 2 |
Exploit-Db
| description | Info-ZIP UnZip 5.50 Encoded Character Hostile Destination Path Vulnerability. CVE-2003-0282. Remote exploit for linux platform |
| id | EDB-ID:22584 |
| last seen | 2016-02-02 |
| modified | 2003-05-10 |
| published | 2003-05-10 |
| reporter | Jelmer |
| source | https://www.exploit-db.com/download/22584/ |
| title | Info-ZIP UnZip 5.50 Encoded Character Hostile Destination Path Vulnerability |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-073.NASL description A vulnerability was discovered in unzip 5.50 and earlier that allows attackers to overwrite arbitrary files during archive extraction by placing non-printable characters between two last seen 2020-06-01 modified 2020-06-02 plugin id 14056 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14056 title Mandrake Linux Security Advisory : unzip (MDKSA-2003:073-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:073. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14056); script_version ("1.19"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2003-0282"); script_xref(name:"MDKSA", value:"2003:073-1"); script_name(english:"Mandrake Linux Security Advisory : unzip (MDKSA-2003:073-1)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered in unzip 5.50 and earlier that allows attackers to overwrite arbitrary files during archive extraction by placing non-printable characters between two '.' characters. These invalid characters are filtered which results in a '..' sequence. The patch applied to these packages prevents unzip from writing to parent directories unless the '-:' command line option is used. Update : Ben Laurie found that the original patch used to fix this issue missed a case where the path component included a quoted slash. An updated patch was used to build these packages." ); # http://marc.theaimsgroup.com/?l=bugtraq&m=105259038503175 script_set_attribute( attribute:"see_also", value:"http://marc.info/?l=bugtraq&m=105259038503175" ); script_set_attribute(attribute:"solution", value:"Update the affected unzip package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:unzip"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2003/08/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"unzip-5.50-4.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"unzip-5.50-4.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"unzip-5.50-4.2mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2003-237-01.NASL description Upgraded infozip packages are available for Slackware 9.0 and -current. These fix a security issue where a specially crafted archive may overwrite files (including system files anywhere on the filesystem) upon extraction by a user with sufficient permissions. last seen 2020-06-01 modified 2020-06-02 plugin id 18722 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18722 title Slackware 9.0 / current : unzip vulnerability patched (SSA:2003-237-01) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2003-237-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(18722); script_version("1.16"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2003-0282"); script_xref(name:"SSA", value:"2003-237-01"); script_name(english:"Slackware 9.0 / current : unzip vulnerability patched (SSA:2003-237-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "Upgraded infozip packages are available for Slackware 9.0 and -current. These fix a security issue where a specially crafted archive may overwrite files (including system files anywhere on the filesystem) upon extraction by a user with sufficient permissions." ); # http://lwn.net/Articles/38540/ script_set_attribute( attribute:"see_also", value:"https://lwn.net/Articles/38540/" ); # http://www.securityfocus.com/bid/7550 script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/bid/7550" ); # http://xforce.iss.net/xforce/xfdb/12004 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b0c3557d" ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2003&m=slackware-security.357639 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f13925b4" ); script_set_attribute( attribute:"solution", value:"Update the affected infozip package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:infozip"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/08/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"9.0", pkgname:"infozip", pkgver:"5.50", pkgarch:"i386", pkgnum:"2")) flag++; if (slackware_check(osver:"current", pkgname:"infozip", pkgver:"5.50", pkgarch:"i486", pkgnum:"2")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:slackware_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-200.NASL description Updated unzip packages resolving a vulnerability allowing arbitrary files to be overwritten are now available. [Updated 15 August 2003] Ben Laurie found that the original patch to fix this issue missed a case where the path component included a quoted slash. These updated packages contain a new patch that corrects this issue. The unzip utility is used for manipulating archives, which are multiple files stored inside of a single file. A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two last seen 2020-06-01 modified 2020-06-02 plugin id 12403 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12403 title RHEL 2.1 : unzip (RHSA-2003:200) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:200. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12403); script_version ("1.27"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2003-0282"); script_xref(name:"RHSA", value:"2003:200"); script_name(english:"RHEL 2.1 : unzip (RHSA-2003:200)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "Updated unzip packages resolving a vulnerability allowing arbitrary files to be overwritten are now available. [Updated 15 August 2003] Ben Laurie found that the original patch to fix this issue missed a case where the path component included a quoted slash. These updated packages contain a new patch that corrects this issue. The unzip utility is used for manipulating archives, which are multiple files stored inside of a single file. A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two '.' characters. These non-printable characters are filtered, resulting in a '..' sequence. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0282 to this issue. This erratum includes a patch ensuring that non-printable characters do not make it possible for a malicious .zip file to write to parent directories unless the '-:' command line parameter is specified. Users of unzip are advised to upgrade to these updated packages, which are not vulnerable to this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0282" ); # http://marc.theaimsgroup.com/?l=bugtraq&m=105259038503175 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=105259038503175" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:200" ); script_set_attribute(attribute:"solution", value:"Update the affected unzip package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:unzip"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/06/16"); script_set_attribute(attribute:"patch_publication_date", value:"2003/08/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:200"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"unzip-5.50-30")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "unzip"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-344.NASL description A directory traversal vulnerability in UnZip 5.50 allows attackers to bypass a check for relative pathnames ( last seen 2020-06-01 modified 2020-06-02 plugin id 15181 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15181 title Debian DSA-344-2 : unzip - directory traversal code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-344. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15181); script_version("1.22"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0282"); script_bugtraq_id(7550); script_xref(name:"DSA", value:"344"); script_name(english:"Debian DSA-344-2 : unzip - directory traversal"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A directory traversal vulnerability in UnZip 5.50 allows attackers to bypass a check for relative pathnames ('../') by placing certain invalid characters between the two '.' characters. The fix which was implemented in DSA-344-1 may not have protected against all methods of exploiting this vulnerability." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-344" ); script_set_attribute( attribute:"solution", value: "For the stable distribution (woody) this problem has been fixed in version 5.50-1woody2. We recommend that you update your unzip package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:unzip"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/05/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"unzip", reference:"5.50-1woody2")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:deb_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Oval
| accepted | 2007-04-25T19:52:37.784-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| description | Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:619 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2003-09-04T12:00:00.000-04:00 | ||||||||||||
| title | UnZip 5.0 Directory Traversal Vulnerability | ||||||||||||
| version | 37 |
Redhat
| advisories |
|
References
- ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2003-031.0.txt
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000672
- http://download.immunix.org/ImmunixOS/7+/Updates/errata/IMNX-2003-7+-017-01
- http://marc.info/?l=bugtraq&m=105259038503175&w=2
- http://marc.info/?l=bugtraq&m=105786446329347&w=2
- http://www.ciac.org/ciac/bulletins/n-111.shtml
- http://www.debian.org/security/2003/dsa-344
- http://www.info-zip.org/FAQ.html
- http://www.mandriva.com/security/advisories?name=MDKSA-2003:073
- http://www.redhat.com/support/errata/RHSA-2003-199.html
- http://www.redhat.com/support/errata/RHSA-2003-200.html
- http://www.securityfocus.com/bid/7550
- http://www.turbolinux.com/security/TLSA-2003-42.txt
- https://exchange.xforce.ibmcloud.com/vulnerabilities/12004
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A619