Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New bugs discovered!

From: GomoR <GomoR () gomor org>
Date: Mon, 19 Nov 2001 10:14:03 +0100
On Sun, 18 Nov 2001 20:03:38 +0000 "vuln-dev" <vuln-dev () bugtraq org>
wrote:




GOBBLES security is happy to announce the discovery of multiple bugs
in /bin/gzip, which can be exploited remotely with a bit of creativ-
ity. Attached is our advisory on the matter.

Enjoy the knowledge and remember to use it responsible.

The GOBBLES Team
www.bugtraq.org

(See attached file: gzip-advisory.txt)



        FreeBSD  (don't know for others BSDs)  does  not have the same
1.2.4 version as one can found on www.gzip.org site.  It seems they've
audited the code,  and corrected some bugs (maybe the code was audited
by OpenBSD team, then FreeBSD team adopted it, I don't know).

        So, by comparing the code of downloaded file gzip-1.2.4.tar.gz
from   www.gzip.org  against  sources  of  gzip  found  on  a  FreeBSD
4.4-RELEASE system, we can see the diff as follows:

freebsd$ diff gzip-1.2.4/gzip.c /usr/src/gnu/usr.bin/gzip/gzip.c
42c42
<  * too heavily. There is no ideal solution given the MSDOS 8+3 limitation. 
---

 * too heavily. There is no ideal solution given the MSDOS 8+3 limitation.

48c48
< static char rcsid[] = "$Id: gzip.c,v 0.24 1993/06/24 10:52:07 jloup Exp $";
---

static char rcsid[] = "$FreeBSD: src/gnu/usr.bin/gzip/gzip.c,v 1.10 1999/08/27 23:35:50 peter Exp $";

524c524,530
<             strcpy(z_suffix, optarg);
---

            if (z_len > sizeof(z_suffix)-1) {
                fprintf(stderr, "%s: -S suffix too long\n", progname);
                usage();
                do_exit(ERROR);
            }
            strncpy(z_suffix, optarg, sizeof z_suffix-1);
            z_suffix[sizeof z_suffix-1] = '\0';

807c813
<       fprintf(stderr, "%s:\t%s", ifname, (int)strlen(ifname) >= 15 ? 
---

      fprintf(stderr, "%s:\t%s", ifname, (int)strlen(ifname) >= 15 ?

1008a1015,1021

    if (strlen(iname) >= sizeof(ifname) - 3) {
      errno = ENAMETOOLONG;
      perror(iname);
      exit_code = ERROR;
      return ERROR;
    }


1576d1588
<     (void) chmod(ofname, 0777);
1636d1647
<     (void) chmod(ifname, 0777);
1657c1668
<     
---



1678c1689
<     
---




        The problem with validation on path name is not present in any
of those two versions, cause there is a validation :), and it comes as
follows:

   len = strlen(dir);
   if (len + NLENGTH(dp) + 1 < MAX_PATH_LEN - 1) {
       strcpy(nbuf,dir);
#ifdef PATH_SEP2
      && dir[len-1] != PATH_SEP2
#endif
#ifdef PATH_SEP3
      && dir[len-1] != PATH_SEP3
#endif
       ) {
      nbuf[len++] = PATH_SEP;
       }
       strcpy(nbuf+len, dp->d_name);
       treat_file(nbuf);
   } else {
       fprintf(stderr,"%s: %s/%s: pathname too long\n",
          progname, dir, dp->d_name);
       exit_code = ERROR;
   }

        So, the problem with buffer validation for the file name is not
present  in 1.2.4 version,  but we can see that there is another buffer
validation  problem  with  the  -S parameter in the non-audited version
( strcpy(z_suffix, optarg); ).

        Here  is  a try to exploit it,  on Linux,  with the non-audited
version:

linux$ gzip -S `perl -e 'print "A" x 2048'`
gzip: incorrect suffix '(null)'

        And with the audited version on FreeBSD:

freebsd$ gzip -S `perl -e 'print "A" x 2048'`
gzip: -S suffix too long
usage: gzip [-cdfhlLnNrtvV19] [-S suffix] [file ...]


        I hope informations provided here will help somebody.

==========================================================
    FreeBSD Network - http://www.gomor.org/
    Security Engineer Junior
==========================================================
    =-----=> root is the only God I believe in <=-----=
Previous By Date Next
Previous By Thread Next

Current thread: