Info

Disclosure

Feb 22, 2005

Discovery

Unknown

Dates

Exploit

Feb 22, 2005

Solution

Unknown

Description

unace contains a flaw that allows a local or remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g. ../../) or absolute paths supplied via the filenames in ACE archives. This directory traversal attack would allow the attacker to create files in arbitrary directories on the system.

Classification

Location: Local / Remote
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: Coordinated Disclosure

Solution

Currently, there are no known upgrades or patches to correct this vulnerability for unace. Upgrade to avast! Home/Professional Edition version 4.6.691 or higher, avast! Server Edition version 4.6.489 or higher, or avast! Managed Client version 4.6.394 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

e-merge GmbH

unace

1.2b

Avast Software a.s.	avast! Professional	4.6.665
	avast! Home	4.6.665
	avast! Server Edition	4.6.460

References

Security Tracker: 1013265 1014544
Related OSVDB ID: 14058 14059
Secunia Advisory ID: 14359 15741 15776
CVE ID: 2005-0161 (see also: NVD) 2005-2384 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0476.html
http://archives.neohapsis.com/archives/fulldisclosure/2005-03/0120.html
Other Advisory URL: http://secunia.com/secunia_research/2005-20/advisory/
http://www.novell.com/linux/security/advisories/2005_16_sr.html

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/14060

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

e-merge GmbH

unace

Avast Software a.s.

avast! Professional

avast! Home

avast! Server Edition

References

Credit