Vulnerability Development mailing list archives
Re: New bugs discovered!
From: "Alex Butcher (vuln-dev)" <vulndev () cocoa demon co uk>
Date: Mon, 19 Nov 2001 01:21:01 +0000 (GMT)
[ Executive summary: this is a problem that appears to be specific to Linux distributions using obsolete versions of gzip, including Slackware 7.1 and 8.0. Other problems *may* lurk in gzip, other distros and therefore packages (including FTP servers) which make use of gzip. ] On Sun, 18 Nov 2001, vuln-dev wrote:
GOBBLES security is happy to announce the discovery of multiple bugs in /bin/gzip, which can be exploited remotely with a bit of creativity. Attached is our advisory on the matter.
The GOBBLES Team www.bugtraq.org
Researchers from GOBBLES SECURITY have discovered many bufferoverflow in /bin/gzip on our Slackware 7.1 server in GOBBLES LABS.
Tested on Red Hat 7.2: $ gzip -h gzip 1.3 (1999-12-21) usage: gzip [-cdfhlLnNrtvV19] [-S suffix] [file ...] [snip] Report bugs to <bug-gzip () gnu org>. $ /bin/gzip `perl -e 'print "A" x 2048'` gzip: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA : file name too long No segfault. :]
We could not find a contact email address for the makers of /bin/gzip so instead we have decided to fully disclose our findings here on the mailing lists and then we hope that the makers of /bin/gzip will read this and then begin to start understanding the concepts of securely programming their software so that no more systems can be comprimised by their poor coding practices.
$ cat gzip-1.3/AUTHORS gzip was written by Jean-loup Gailly <jloup () gzip org>, and Mark Adler for the decompression code. $ tail -1 gzip-1.3/TODO Send comments to <bug-gzip () gnu org>. and, of course the -h output.
GOBBLES thinks that experienced programmers who still let their code get hacked by silly old stack overflows are very sad and pathetic programmers!
*ahem*
GOBBLES@LABSLACK:/hacking/gzip$ /bin/gzip -h gzip 1.2.4 (18 Aug 93)
^^^^^^^^^ (Actually 1.2.4a according to the Slackware 7.1 package description) As Slackware 7.1 was released on 25 June 2000, it does seem rather sad that *they've* chosen to include 1.2.4a when 1.3 has been available since 21 December 1999. It's even sadder that it's still not been updated in Slackware 8.0, released 28 June 2001. :C 1.3 includes a check to make sure that the strcpy() isn't longer than MAX_PATH_LEN - 1. There are, however, plenty of strcpy()s lurking...
Many different Unix services use gzip in different ways such as FTP daemons who like to let users run gzip and tar on full directories so that they can let the users download a single nice tarball instead of a lot of unorganized files and the compression makes the transfers go faster sometimes. The idea of researching bufferoverflows in gzip was to find if there were any and then to see if they can be exploited from ftp servers.
This is a legitimate concern and adminstrators of FTP servers and similar should consider the security of any applications they tie into their servers as well as the server and its configuration... Best Regards, Alex. -- Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com Berkshire, UK Is *your* company hiring UNIX/Security/Pen. testing folks? PGP/GnuPG ID:0x271fd950 http://www.cocoa.demon.co.uk/cv/
Current thread:
- New bugs discovered! vuln-dev (Nov 18)
- Re: New bugs discovered! Alex Butcher (vuln-dev) (Nov 18)
- Re: New bugs discovered! Nate Amsden (Nov 19)
- Re: New bugs discovered! Alex Butcher (vuln-dev) (Nov 19)
- Re: New bugs discovered! Roger Burton West (Nov 19)
- Re: New bugs discovered! Fabio Roccatagliata (Nov 19)
- Re: New bugs discovered! Respect (Nov 19)
- Re: New bugs discovered! Nate Amsden (Nov 19)
- Re: New bugs discovered! Alex Butcher (vuln-dev) (Nov 18)
- Re: New bugs discovered! Yaroslav Klyukin (Nov 18)
- Re: New bugs discovered! Crist J. Clark (Nov 19)
- Re: New bugs discovered! Robert Jaroszuk (Nov 19)
- Re: New bugs discovered! Naseer Bhatti (Nov 19)
- Re: New bugs discovered! Larry W. Cashdollar (Nov 18)