Re: New bugs discovered!

From: Alex Butcher (vuln-dev) (vulndev@cocoa.demon.co.uk)
Date: 11/19/01 

Date: Mon, 19 Nov 2001 01:21:01 +0000 (GMT)
From: "Alex Butcher (vuln-dev)" <vulndev@cocoa.demon.co.uk>
To: <GOBBLES@hushmail.com>
Subject: Re: New bugs discovered!
Message-ID: <Pine.LNX.4.33.0111190052470.27289-100000@cocoa.demon.co.uk>

[ Executive summary: this is a problem that appears to be specific to
Linux distributions using obsolete versions of gzip, including Slackware
7.1 and 8.0. Other problems *may* lurk in gzip, other distros and
therefore packages (including FTP servers) which make use of gzip. ]

On Sun, 18 Nov 2001, vuln-dev wrote:

> GOBBLES security is happy to announce the discovery of multiple bugs in
> /bin/gzip, which can be exploited remotely with a bit of creativity.
> Attached is our advisory on the matter.

> The GOBBLES Team
> www.bugtraq.org

>Researchers from GOBBLES SECURITY have discovered many bufferoverflow
>in /bin/gzip on our Slackware 7.1 server in GOBBLES LABS.

Tested on Red Hat 7.2:

$ gzip -h
gzip 1.3
(1999-12-21)
usage: gzip [-cdfhlLnNrtvV19] [-S suffix] [file ...]

[snip]

Report bugs to <bug-gzip@gnu.org>.

$ /bin/gzip `perl -e 'print "A" x 2048'`
gzip:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AA
:
file name too long

No segfault. :]

>We could not find a contact email address for the makers of /bin/gzip
>so instead we have decided to fully disclose our findings here on the
>mailing lists and then we hope that the makers of /bin/gzip will read
>this and then begin to start understanding the concepts of securely
>programming their software so that no more systems can be comprimised by
>their poor coding practices.

$ cat gzip-1.3/AUTHORS
gzip was written by Jean-loup Gailly <jloup@gzip.org>,
and Mark Adler for the decompression code.

$ tail -1 gzip-1.3/TODO
Send comments to <bug-gzip@gnu.org>.

and, of course the -h output.

>GOBBLES thinks that experienced programmers who still let their code get
>hacked by silly old stack overflows are very sad and pathetic
>programmers!

*ahem*

>GOBBLES@LABSLACK:/hacking/gzip$ /bin/gzip -h
>gzip 1.2.4 (18 Aug 93)
             ^^^^^^^^^

(Actually 1.2.4a according to the Slackware 7.1 package description)

As Slackware 7.1 was released on 25 June 2000, it does seem rather sad
that *they've* chosen to include 1.2.4a when 1.3 has been available since
21 December 1999. It's even sadder that it's still not been updated in
Slackware 8.0, released 28 June 2001. :C

1.3 includes a check to make sure that the strcpy() isn't longer than
MAX_PATH_LEN - 1. There are, however, plenty of strcpy()s lurking...

>Many different Unix services use gzip in different ways such as FTP
>daemons who like to let users run gzip and tar on full directories so
>that they can let the users download a single nice tarball instead of a
>lot of unorganized files and the compression makes the transfers go
>faster sometimes. The idea of researching bufferoverflows in gzip was to
>find if there were any and then to see if they can be exploited from ftp
>servers.

This is a legitimate concern and adminstrators of FTP servers and similar
should consider the security of any applications they tie into their
servers as well as the server and its configuration...

Best Regards,
Alex. 

-- 
Alex Butcher         Brainbench MVP for Internet Security: www.brainbench.com
Berkshire, UK      Is *your* company hiring UNIX/Security/Pen. testing folks?
PGP/GnuPG ID:0x271fd950                      http://www.cocoa.demon.co.uk/cv/

Relevant Pages

  • Re: Buildworld fails for 6.0-RC1
    ... > the source with a tag RELENG_6 ... > two different servers within the last couple hours. ... gzip -cn info-stnd.info> info-stnd.info.gz ... *** Error code 2 ...
    (freebsd-questions)
  • Re: New bugs discovered!
    ... The gzip on my system has the following at the end of the ... > Bug reports should ideally include: ... like tar and ftp servers stream their data through gzip, ... > The GOBBLES Team ...
    (Vuln-Dev)