Vulnerability Development mailing list archives
Re: New bugs discovered!
From: GomoR <GomoR () gomor org>
Date: Mon, 19 Nov 2001 10:14:03 +0100
On Sun, 18 Nov 2001 20:03:38 +0000 "vuln-dev" <vuln-dev () bugtraq org> wrote:
GOBBLES security is happy to announce the discovery of multiple bugs in /bin/gzip, which can be exploited remotely with a bit of creativ- ity. Attached is our advisory on the matter. Enjoy the knowledge and remember to use it responsible. The GOBBLES Team www.bugtraq.org (See attached file: gzip-advisory.txt)
FreeBSD (don't know for others BSDs) does not have the same 1.2.4 version as one can found on www.gzip.org site. It seems they've audited the code, and corrected some bugs (maybe the code was audited by OpenBSD team, then FreeBSD team adopted it, I don't know). So, by comparing the code of downloaded file gzip-1.2.4.tar.gz from www.gzip.org against sources of gzip found on a FreeBSD 4.4-RELEASE system, we can see the diff as follows: freebsd$ diff gzip-1.2.4/gzip.c /usr/src/gnu/usr.bin/gzip/gzip.c 42c42 < * too heavily. There is no ideal solution given the MSDOS 8+3 limitation. ---
* too heavily. There is no ideal solution given the MSDOS 8+3 limitation.
48c48 < static char rcsid[] = "$Id: gzip.c,v 0.24 1993/06/24 10:52:07 jloup Exp $"; ---
static char rcsid[] = "$FreeBSD: src/gnu/usr.bin/gzip/gzip.c,v 1.10 1999/08/27 23:35:50 peter Exp $";
524c524,530 < strcpy(z_suffix, optarg); ---
if (z_len > sizeof(z_suffix)-1) { fprintf(stderr, "%s: -S suffix too long\n", progname); usage(); do_exit(ERROR); } strncpy(z_suffix, optarg, sizeof z_suffix-1); z_suffix[sizeof z_suffix-1] = '\0';
807c813 < fprintf(stderr, "%s:\t%s", ifname, (int)strlen(ifname) >= 15 ? ---
fprintf(stderr, "%s:\t%s", ifname, (int)strlen(ifname) >= 15 ?
1008a1015,1021
if (strlen(iname) >= sizeof(ifname) - 3) { errno = ENAMETOOLONG; perror(iname); exit_code = ERROR; return ERROR; }
1576d1588 < (void) chmod(ofname, 0777); 1636d1647 < (void) chmod(ifname, 0777); 1657c1668 < ---
1678c1689 < ---
The problem with validation on path name is not present in any of those two versions, cause there is a validation :), and it comes as follows: len = strlen(dir); if (len + NLENGTH(dp) + 1 < MAX_PATH_LEN - 1) { strcpy(nbuf,dir); #ifdef PATH_SEP2 && dir[len-1] != PATH_SEP2 #endif #ifdef PATH_SEP3 && dir[len-1] != PATH_SEP3 #endif ) { nbuf[len++] = PATH_SEP; } strcpy(nbuf+len, dp->d_name); treat_file(nbuf); } else { fprintf(stderr,"%s: %s/%s: pathname too long\n", progname, dir, dp->d_name); exit_code = ERROR; } So, the problem with buffer validation for the file name is not present in 1.2.4 version, but we can see that there is another buffer validation problem with the -S parameter in the non-audited version ( strcpy(z_suffix, optarg); ). Here is a try to exploit it, on Linux, with the non-audited version: linux$ gzip -S `perl -e 'print "A" x 2048'` gzip: incorrect suffix '(null)' And with the audited version on FreeBSD: freebsd$ gzip -S `perl -e 'print "A" x 2048'` gzip: -S suffix too long usage: gzip [-cdfhlLnNrtvV19] [-S suffix] [file ...] I hope informations provided here will help somebody. ========================================================== FreeBSD Network - http://www.gomor.org/ Security Engineer Junior ========================================================== =-----=> root is the only God I believe in <=-----=
Current thread:
- Re: New bugs discovered!, (continued)
- Re: New bugs discovered! Cabezon Aurélien (Nov 19)
- Re: New bugs discovered! Bernhard Rosenkraenzer (Nov 19)
- Re: New bugs discovered! Baba Bogdan (Nov 19)
- Re: New bugs discovered! Ciprian Csordas (Nov 19)
- Re: New bugs discovered! Chris Ess (Nov 19)
- Re: New bugs discovered! Bernhard Rosenkraenzer (Nov 19)
- Re: New bugs discovered! Valdis . Kletnieks (Nov 19)
- Re: New bugs discovered! Baba Bogdan (Nov 19)
- Re: New bugs discovered! InterceptiX Security (Nov 19)
- Re: New bugs discovered! Ron DuFresne (Nov 19)
- Re: New bugs discovered! Meritt James (Nov 19)
- Re: New bugs discovered! GomoR (Nov 19)
- Re: New bugs discovered! sy4n (Nov 19)
- Re: New bugs discovered! jnf (Nov 19)
- Re: New bugs discovered! Syzop (Nov 19)
- Re: New bugs discovered! X (Nov 19)
- Re: New bugs discovered! Croquette Friskies (Nov 19)
- Re: New bugs discovered! The Itch (Nov 19)
- Re: New bugs discovered! Alex Butcher (vuln-dev) (Nov 20)
- RE: New bugs discovered! dave . goldsmith (Nov 19)
- RE: New bugs discovered! DePriest, Jason R. (Nov 19)