lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 01 Mar 2005 20:44:37 +0100
From: exon <exon@...e.se>
To: bugtraq@...urityfocus.com
Subject: Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files


Han Boetes wrote:
> John Simpson wrote:
> 
>>this only works if the user un-zipping the file is already root.
>>otherwise it creates an "sh" binary which is setuid to the user
>>who unzipped the file. this kind of "exploit" is only useful if
>>you can somehow trick root into unzipping the file- it cannot be
>>used to gain root on a machine where you don't already have it.
> 
> 
> If your homedir is worldreadable, which is pretty common practice
> the other user can run the shell and get your useraccount.
> 

What does that have to do with anything? The targeted user still has to 
run the shell-script, and the script can't be setuid root unless root 
unpacks it. Actually, shell-scripts (or any runtime-interpreted 
language) usually can't run with elevated privileges, since the parsing 
binary (in this case /bin/sh) would need to be setuid root as well. If 
it is, you  don't need a script to do your work for you.

If you're assuming normaluser would unzip the "evil" zip file and then 
eviluser on the same system could execute it to gain the privileges of 
normaluser, eviluser still hasn't gained anything since he/she would 
have been able to read the world-readable (no sound distribution does 
this anymore) directory anyways. If normalusers homedir isn't 
world-readable then eviluser wouldn't even be able to run the 
shell-script. Binaries are a different matter, but it still boils down 
to the targeted user running whatever you send him. If you can manage 
that you don't need flawed programs to break in.

> 
> 
>>although i will agree that having the unzip program warn the
>>user when creating a setuid or setgid file is a good idea in
>>general.
> 
> 
> Lets take a look at how tar does it: it uses the p flag.
> 
>  -p   Preserve user and group ID as well as file mode regardless
>       of the current umask(2).  The setuid and setgid bits are
>       only preserved if the user is the superuser.  Only meaning-
>       ful in conjunction with the -x flag.
> 
> 
> 
> # Han
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ