ID CVE-2015-2304
Summary Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive.
References
Vulnerable Configurations
  • Libarchive Libarchive 3.1.2 (x64) 64-bit
    cpe:2.3:a:libarchive:libarchive:3.1.2:-:-:-:-:x64
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.10
    cpe:2.3:o:canonical:ubuntu_linux:14.10
  • OpenSUSE 13.1
    cpe:2.3:o:opensuse:opensuse:13.1
  • OpenSUSE 13.2
    cpe:2.3:o:opensuse:opensuse:13.2
CVSS
Base: 6.4 (as of 14-06-2016 - 14:06)
Impact:
Exploitability:
CWE CWE-22
CAPEC
  • Relative Path Traversal
    An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
  • Directory Traversal
    An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
  • File System Function Injection, Content Based
    An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
  • Using Slashes and URL Encoding Combined to Bypass Validation Logic
    This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
  • Using Escaped Slashes in Alternate Encoding
    This attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL PARTIAL
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-157.NASL
    description Updated libarchive packages fix security vulnerability : Alexander Cherepanov discovered that bsdcpio, an implementation of the cpio program part of the libarchive project, is susceptible to a directory traversal vulnerability via absolute paths (CVE-2015-2304).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 82410
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82410
    title Mandriva Linux Security Advisory : libarchive (MDVSA-2015:157)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0667-1.NASL
    description libarchive was updated to fix a directory traversal in the bsdcpio tool, which allowed attackers supplying crafted archives to overwrite files. (CVE-2015-2304) Also, a integer overflow was fixed that could also overflow buffers. (CVE-2013-0211) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 83710
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83710
    title SUSE SLED12 / SLES12 Security Update : libarchive (SUSE-SU-2015:0667-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2549-1.NASL
    description It was discovered that the libarchive bsdcpio utility extracted absolute paths by default without using the --insecure flag, contrary to expectations. If a user or automated system were tricked into extracting cpio archives containing absolute paths, a remote attacker may be able to write to arbitrary files. (CVE-2015-2304) Fabian Yamaguchi discovered that libarchive incorrectly handled certain type conversions. A remote attacker could possibly use this issue to cause libarchive to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2013-0211). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 82268
    published 2015-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82268
    title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : libarchive vulnerabilities (USN-2549-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-248.NASL
    description libarchive was updated to fix a directory traversal in the bsdcpio tool, which allowed attackers supplying crafted archives to overwrite files. (CVE-2015-2304) Also, a integer overflow was fixed that could also overflow buffers. (CVE-2013-0211)
    last seen 2019-02-21
    modified 2015-03-24
    plugin id 82012
    published 2015-03-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82012
    title openSUSE Security Update : libarchive (openSUSE-2015-248)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_7C63775EBE3111E5B5FE002590263BF5.NASL
    description MITRE reports : Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow. Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive. Libarchive issue tracker reports : Using a crafted tar file bsdtar can perform an out-of-bounds memory read which will lead to a SEGFAULT. The issue exists when the executable skips data in the archive. The amount of data to skip is defined in byte offset [16-19] If ASLR is disabled, the issue can lead to an infinite loop.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87984
    published 2016-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87984
    title FreeBSD : libarchive -- multiple vulnerabilities (7c63775e-be31-11e5-b5fe-002590263bf5)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1939-1.NASL
    description bsdtar was updated to fix seven security issues. These security issues were fixed : - CVE-2015-8929: Memory leak in tar parser (bsc#985669). - CVE-2016-4809: Memory allocate error with symbolic links in cpio archives (bsc#984990). - CVE-2015-8920: Stack out of bounds read in ar parser (bsc#985675). - CVE-2015-8921: Global out of bounds read in mtree parser (bsc#985682). - CVE-2015-8924: Heap buffer read overflow in tar (bsc#985609). - CVE-2015-8918: Overlapping memcpy in CAB parser (bsc#985698). - CVE-2015-2304: Reject absolute paths in input mode of bsdcpio exactly when '..' is rejected (bsc#920870). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93187
    published 2016-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93187
    title SUSE SLES11 Security Update : bsdtar (SUSE-SU-2016:1939-1)
  • NASL family CGI abuses
    NASL id SPLUNK_642.NASL
    description According to its self-reported version number, the version of Splunk Enterprise hosted on the remote web server is 5.0.x, 6.0.x prior to 6.0.12, 6.1.x prior to 6.1.11, 6.2.x prior to 6.2.11, 6.3.x prior to 6.3.6, or 6.4.x prior to 6.4.2; or else it is Splunk Light version 6.4.x prior to 6.4.2. It is, therefore, affected by the following vulnerabilities : - An integer signedness error exists in libarchive in the archive_write_zip_data() function within file archive_write_set_format_zip.c due to improper conversion between unsigned and signed integer types when running on 64-bit CPUs. An unauthenticated, remote attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition. (CVE-2013-0211) - A path traversal vulnerability exists in libarchive in the bsdcpio() function within file in cpio/cpio.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted path in an archive, to write to arbitrary files. (CVE-2015-2304) - A heap-based buffer overflow condition exists in libarchive in the zip_read_mac_metadata() function within file archive_read_support_format_zip.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this, via specially crafted entry-size values in a ZIP archive, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-1541) - Multiple flaws exist in the OpenSSL library in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - An unspecified cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in the user's browser session. - An unspecified cross-site redirection vulnerability exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted web link, to redirect the browser to an arbitrary website of the attacker's own choosing. Note that Splunk Enterprise 5.0.x will not be patched for OpenSSL issues, and it is recommended you upgrade to the latest version. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 92790
    published 2016-08-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92790
    title Splunk Enterprise < 5.0.16 / 6.0.12 / 6.1.11 / 6.2.11 / 6.3.6 / 6.4.2 or Splunk Light < 6.4.2 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2911-1.NASL
    description This update for libarchive fixes several issues. These security issues were fixed : - CVE-2016-8687: Buffer overflow when printing a filename (bsc#1005070). - CVE-2016-8689: Heap overflow when reading corrupted 7Zip files (bsc#1005072). - CVE-2016-8688: Use after free because of incorrect calculation in next_line (bsc#1005076). - CVE-2016-5844: Integer overflow in the ISO parser in libarchive allowed remote attackers to cause a denial of service (application crash) via a crafted ISO file (bsc#986566). - CVE-2016-6250: Integer overflow in the ISO9660 writer in libarchive allowed remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow (bsc#989980). - CVE-2016-5418: The sandboxing code in libarchive mishandled hardlink archive entries of non-zero data size, which might allowed remote attackers to write to arbitrary files via a crafted archive file (bsc#998677). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 95367
    published 2016-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95367
    title SUSE SLED12 / SLES12 Security Update : libarchive (SUSE-SU-2016:2911-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1404.NASL
    description This update for libarchive fixes several issues. These security issues were fixed : - CVE-2016-8687: Buffer overflow when printing a filename (bsc#1005070). - CVE-2016-8689: Heap overflow when reading corrupted 7Zip files (bsc#1005072). - CVE-2016-8688: Use after free because of incorrect calculation in next_line (bsc#1005076). - CVE-2016-5844: Integer overflow in the ISO parser in libarchive allowed remote attackers to cause a denial of service (application crash) via a crafted ISO file (bsc#986566). - CVE-2016-6250: Integer overflow in the ISO9660 writer in libarchive allowed remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow (bsc#989980). - CVE-2016-5418: The sandboxing code in libarchive mishandled hardlink archive entries of non-zero data size, which might allowed remote attackers to write to arbitrary files via a crafted archive file (bsc#998677). This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2016-12-06
    plugin id 95558
    published 2016-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95558
    title openSUSE Security Update : libarchive (openSUSE-2016-1404)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3180.NASL
    description Alexander Cherepanov discovered that bsdcpio, an implementation of the'cpio' program part of the libarchive project, is susceptible to a directory traversal vulnerability via absolute paths.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 81654
    published 2015-03-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81654
    title Debian DSA-3180-1 : libarchive - security update
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201701-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-201701-03 (libarchive: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in libarchive. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to open a specially crafted archive file possibly resulting in the execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2017-01-03
    plugin id 96234
    published 2017-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96234
    title GLSA-201701-03 : libarchive: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1405.NASL
    description This update for libarchive fixes several issues. These security issues were fixed : - CVE-2016-8687: Buffer overflow when printing a filename (bsc#1005070). - CVE-2016-8689: Heap overflow when reading corrupted 7Zip files (bsc#1005072). - CVE-2016-8688: Use after free because of incorrect calculation in next_line (bsc#1005076). - CVE-2016-5844: Integer overflow in the ISO parser in libarchive allowed remote attackers to cause a denial of service (application crash) via a crafted ISO file (bsc#986566). - CVE-2016-6250: Integer overflow in the ISO9660 writer in libarchive allowed remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow (bsc#989980). - CVE-2016-5418: The sandboxing code in libarchive mishandled hardlink archive entries of non-zero data size, which might allowed remote attackers to write to arbitrary files via a crafted archive file (bsc#998677). This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2016-12-06
    plugin id 95559
    published 2016-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95559
    title openSUSE Security Update : libarchive (openSUSE-2016-1405)
refmap via4
confirm
debian DSA-3180
freebsd FreeBSD-SA-16:22
gentoo GLSA-201701-03
mandriva MDVSA-2015:157
mlist
  • [oss-security] 20150108 Directory traversals in cpio and friends?
  • [oss-security] 20150116 CVE Request: libarchive -- directory traversal in bsdcpio
sectrack 1035996
suse openSUSE-SU-2015:0568
ubuntu USN-2549-1
Last major update 29-11-2016 - 22:01
Published 15-03-2015 - 15:59
Last modified 30-10-2018 - 12:27
Back to Top