[ Executive summary: this is a problem that appears to be specific to Linux distributions using obsolete versions of gzip, including Slackware 7.1 and 8.0. Other problems *may* lurk in gzip, other distros and therefore packages (including FTP servers) which make use of gzip. ] On Sun, 18 Nov 2001, vuln-dev wrote: > GOBBLES security is happy to announce the discovery of multiple bugs in > /bin/gzip, which can be exploited remotely with a bit of creativity. > Attached is our advisory on the matter. > The GOBBLES Team > www.bugtraq.org >Researchers from GOBBLES SECURITY have discovered many bufferoverflow >in /bin/gzip on our Slackware 7.1 server in GOBBLES LABS. Tested on Red Hat 7.2: $ gzip -h gzip 1.3 (1999-12-21) usage: gzip [-cdfhlLnNrtvV19] [-S suffix] [file ...] [snip] Report bugs to <bug-gzipat_private>. $ /bin/gzip `perl -e 'print "A" x 2048'` gzip: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA : file name too long No segfault. :] >We could not find a contact email address for the makers of /bin/gzip >so instead we have decided to fully disclose our findings here on the >mailing lists and then we hope that the makers of /bin/gzip will read >this and then begin to start understanding the concepts of securely >programming their software so that no more systems can be comprimised by >their poor coding practices. $ cat gzip-1.3/AUTHORS gzip was written by Jean-loup Gailly <jloupat_private>, and Mark Adler for the decompression code. $ tail -1 gzip-1.3/TODO Send comments to <bug-gzipat_private>. and, of course the -h output. >GOBBLES thinks that experienced programmers who still let their code get >hacked by silly old stack overflows are very sad and pathetic >programmers! *ahem* >GOBBLES@LABSLACK:/hacking/gzip$ /bin/gzip -h >gzip 1.2.4 (18 Aug 93) ^^^^^^^^^ (Actually 1.2.4a according to the Slackware 7.1 package description) As Slackware 7.1 was released on 25 June 2000, it does seem rather sad that *they've* chosen to include 1.2.4a when 1.3 has been available since 21 December 1999. It's even sadder that it's still not been updated in Slackware 8.0, released 28 June 2001. :C 1.3 includes a check to make sure that the strcpy() isn't longer than MAX_PATH_LEN - 1. There are, however, plenty of strcpy()s lurking... >Many different Unix services use gzip in different ways such as FTP >daemons who like to let users run gzip and tar on full directories so >that they can let the users download a single nice tarball instead of a >lot of unorganized files and the compression makes the transfers go >faster sometimes. The idea of researching bufferoverflows in gzip was to >find if there were any and then to see if they can be exploited from ftp >servers. This is a legitimate concern and adminstrators of FTP servers and similar should consider the security of any applications they tie into their servers as well as the server and its configuration... Best Regards, Alex. -- Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com Berkshire, UK Is *your* company hiring UNIX/Security/Pen. testing folks? PGP/GnuPG ID:0x271fd950 http://www.cocoa.demon.co.uk/cv/
This archive was generated by hypermail 2b30 : Sun Nov 18 2001 - 21:35:11 PST