Here's details of these vulnerabilities for the curious:


  void extractTree(struct Volume *vol, struct List* tree, char *path, unsigned 
char *extbuf,
                   BOOL pflag, BOOL qflag)
      struct Entry* entry;
      char *buf;
      char sysbuf[200];
      while(tree) {
          entry = (struct Entry*)tree->content;
          if (entry->type==ST_DIR) {
              buf = NULL;
              if (strlen(path)>0) {
                  if (!buf) return;
                      sprintf(sysbuf,"%s %s",MKDIR,buf);

Here, sysbuf can be caused to overflow for example by giving an .adf
archive which has a file with very long name and/or path.


When unadf extracts .adf file, it creates directory paths by executing
mkdir via system(), but does not sanitize pathname strings in any
way. If the user can be tricked to extract specially crafted .adf
file, the attacker can execute arbitrary code with privileges of the

As a proof of concept, I have crafted a file which executes 'ls' when
unpacked by vulnerable unadf: http://tmp.tjjr.fi/boom.adf

Action log:

  $ unadf boom.adf
  unADF v1.0 : a unzip like for .ADF files, powered by ADFlib (v0.7.11a - 
January 20th, 2007)

  Device : Floppy DD. Cylinders = 80, Heads = 2, Sectors = 11. Volumes = 1
  Volume : Floppy 880 KBytes, "Work" between sectors [0-1759]. OFS . Filled at 

  x - somedir;ls/
  adflib.dsw    AUTHORS.txt  boom.adf  CHANGES.txt  debian  Docs        
dynunadf.dsp  FilesToInstall  Lib       README.txt  somedir        
  adfwrapper.h  Bin          Boot      COPYING.txt  Demo    dynlib.dsp  Faq     
      gen_spec.sh     Makefile  snip.c      staticlib.dsp


Reply via email to