Re: New bugs discovered!

["Alex Butcher (vuln-dev)" <vulndev () cocoa demon co uk>]

[ Executive summary: this is a problem that appears to be specific to 
Linux distributions using obsolete versions of gzip, including Slackware 
7.1 and 8.0. Other problems *may* lurk in gzip, other distros and 
therefore packages (including FTP servers) which make use of gzip. ]

On Sun, 18 Nov 2001, vuln-dev wrote:

> GOBBLES security is happy to announce the discovery of multiple bugs in 
> /bin/gzip, which can be exploited remotely with a bit of creativity.  
> Attached is our advisory on the matter. 

> The GOBBLES Team
> www.bugtraq.org 

> Researchers from GOBBLES SECURITY have discovered many bufferoverflow
> in /bin/gzip on our Slackware 7.1 server in GOBBLES LABS.

Tested on Red Hat 7.2:

$ gzip -h
gzip 1.3
(1999-12-21)
usage: gzip [-cdfhlLnNrtvV19] [-S suffix] [file ...]

[snip]

Report bugs to <bug-gzip () gnu org>.

$ /bin/gzip `perl -e 'print "A" x 2048'`
gzip: 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
: 
file name too long

No segfault. :]

> We could not find a contact email address for the makers of /bin/gzip 
> so instead we have decided to fully disclose our findings here on the
> mailing lists and then we hope that the makers of /bin/gzip will read 
> this and then begin to start understanding the concepts of securely 
> programming their software so that no more systems can be comprimised by 
> their poor coding practices.

$ cat gzip-1.3/AUTHORS 
gzip was written by Jean-loup Gailly <jloup () gzip org>,
and Mark Adler for the decompression code.

$ tail -1 gzip-1.3/TODO 
Send comments to <bug-gzip () gnu org>.

and, of course the -h output.

> GOBBLES thinks that experienced programmers who still let their code get 
> hacked by silly old stack overflows are very sad and pathetic 
> programmers!

*ahem*

> GOBBLES@LABSLACK:/hacking/gzip$ /bin/gzip -h
> gzip 1.2.4 (18 Aug 93)
             ^^^^^^^^^

(Actually 1.2.4a according to the Slackware 7.1 package description)

As Slackware 7.1 was released on 25 June 2000, it does seem rather sad 
that *they've* chosen to include 1.2.4a when 1.3 has been available since 
21 December 1999. It's even sadder that it's still not been updated in 
Slackware 8.0, released 28 June 2001. :C

1.3 includes a check to make sure that the strcpy() isn't longer than 
MAX_PATH_LEN - 1. There are, however, plenty of strcpy()s lurking...

> Many different Unix services use gzip in different ways such as FTP
> daemons who like to let users run gzip and tar on full directories so 
> that they can let the users download a single nice tarball instead of a 
> lot of unorganized files and the compression makes the transfers go 
> faster sometimes.  The idea of researching bufferoverflows in gzip was to 
> find if there were any and then to see if they can be exploited from ftp
> servers.

This is a legitimate concern and adminstrators of FTP servers and similar 
should consider the security of any applications they tie into their 
servers as well as the server and its configuration...

Best Regards,
Alex.
-- 
Alex Butcher         Brainbench MVP for Internet Security: www.brainbench.com
Berkshire, UK      Is *your* company hiring UNIX/Security/Pen. testing folks?
PGP/GnuPG ID:0x271fd950                      http://www.cocoa.demon.co.uk/cv/