[EXPL] gzip Directory Traversal Vulnerability ("gunzip -N")

From: SecuriTeam (support_at_securiteam.com)
Date: 05/11/05

  • Next message: SecuriTeam: "[UNIX] Linux Kernel ELF Core Dump Privilege Elevation" 
    To: list@securiteam.com
Date: 11 May 2005 15:22:52 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      gzip Directory Traversal Vulnerability ("gunzip -N")
    ------------------------------------------------------------------------

    SUMMARY

    "gzip, gunzip, zcat - compress or expand files" - "Gzip reduces the size
    of the named files using Lempel-Ziv coding (LZ77). Whenever possible, each
    file is replaced by one with the extension .gz, while keeping the same
    ownership modes, access and modification times. (The default extension is
    -gz for VMS, z for MSDOS, OS/2 FAT, Windows NT FAT and Atari.) If no files
    are specified, or if a file name is "-", the standard input is compressed
    to the standard output. Gzip will only attempt to compress regular files.
    In particular, it will ignore symbolic links."

    A directory traversal vulnerability exists in gzip. It allows attackers to
    create arbitrary files with arbitrary contents on a system, if they can
    get a user or a program with sufficient rights to decompress a malicious
    gz file from the attackers with "gunzip -N".

    DETAILS

    Vulnerable Systems:
     * gzip version 1.2.4, 1.2.4a, 1.3.3, 1.3.4 and 1.3.5 (previous unix
    versions suspected).

    A directory traversal bug exists in multiple versions of gzip. When
    compressing a file, gzip saves its original name but not its path inside
    the compressed file. When using gunzip's "-N" option, the original name
    found inside the compressed file will be used as the name to save the
    decompressed file with. "gunzip -N" doesn't check if the original name
    inside the compressed file has any "/" characters in it. This makes it
    possible to create a malicious compressed file that when decompressed with
    "gunzip -N" will create a file at an arbitrary location in the file
    system, such as "/etc/nologin" or "/etc/cron.d/evil".

    The command "gunzip -N" prints no output during normal operation, so the
    user will not get any warning. The command "gunzip -Nv" prints information
    about what file it is creating where, but then it may be too late. The
    gunzip command always asks before overwriting existing files, so this bug
    only allows for creating new files and not overwriting old ones.

    The compressed file "
    <http://bugs.debian.org/cgi-bin/bugreport.cgi/dir-traversal-bug.gz?bug=305255&msg=3&att=1> dir-traversal-bug.gz" will create a file in "/tmp" when decompressed with "gunzip -N".

    Patch Availability:
    Please read original article before downloading those patches
    <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255> here:
     
    <http://bugs.debian.org/cgi-bin/bugreport.cgi/gzip.dirtraversal.patch?bug=305255&msg=3&att=2> gzip.dirtraversal.patch
     
    <http://bugs.debian.org/cgi-bin/bugreport.cgi/gzip.dirtraversal_better.patch?bug=305255&msg=12&att=1> gzip.dirtraversal_better.patch

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:metaur@telia.com> Ulf H
    rnhammar.
    The original article can be found at:
    <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255>
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Linux Kernel ELF Core Dump Privilege Elevation"

    Relevant Pages

    • Re: problem compiling kernel
      ... compressed file without usual extension, but no, it is not handled by ... gunzip or zcat. ... A person needs only two tools: WD-40 and duct tape. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
      (Debian-User)
    • Re: Compress (gzip) and move big file at the same time to different directoryon UNIX
      ... Is there a way I can retain the date of the original file in the ... Like when I gunzip the zipped file it can give the date of the original ... gzip doesn't store the date in the compressed file. ... original file (when used as gzip file, ...
      (comp.unix.questions)