[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files
From: exon <exon@xxxxxxx>
Date: Tue, 01 Mar 2005 20:44:37 +0100

Han Boetes wrote:

John Simpson wrote:

this only works if the user un-zipping the file is already root.
otherwise it creates an "sh" binary which is setuid to the user
who unzipped the file. this kind of "exploit" is only useful if
you can somehow trick root into unzipping the file- it cannot be
used to gain root on a machine where you don't already have it.

If your homedir is worldreadable, which is pretty common practice
the other user can run the shell and get your useraccount.

What does that have to do with anything? The targeted user still has to run the shell-script, and the script can't be setuid root unless root unpacks it. Actually, shell-scripts (or any runtime-interpreted language) usually can't run with elevated privileges, since the parsing binary (in this case /bin/sh) would need to be setuid root as well. If it is, you don't need a script to do your work for you.

If you're assuming normaluser would unzip the "evil" zip file and then eviluser on the same system could execute it to gain the privileges of normaluser, eviluser still hasn't gained anything since he/she would have been able to read the world-readable (no sound distribution does this anymore) directory anyways. If normalusers homedir isn't world-readable then eviluser wouldn't even be able to run the shell-script. Binaries are a different matter, but it still boils down to the targeted user running whatever you send him. If you can manage that you don't need flawed programs to break in.

although i will agree that having the unzip program warn the
user when creating a setuid or setgid file is a good idea in
general.

Lets take a look at how tar does it: it uses the p flag.

 -p   Preserve user and group ID as well as file mode regardless
      of the current umask(2).  The setuid and setgid bits are
      only preserved if the user is the superuser.  Only meaning-
      ful in conjunction with the -x flag.

# Han

References:
- 7a69Adv#22 - UNIX unzip keep setuid and setgid files
  - From: Albert Puigsech Galicia
- Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files
  - From: John Simpson
- Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files
  - From: Han Boetes

Prev by Date: Re: Firefox Software Update
Next by Date: Re: Firefox Software Update
Previous by thread: Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files
Next by thread: Re: iDEFENSE Security Advisory 02.25.05: WU-FTPD File Globbing Denial of Service Vulnerability
Index(es):
- Date
- Thread