On Sun, 18 Nov 2001 20:03:38 +0000 "vuln-dev" <vuln-devat_private> wrote: > > > GOBBLES security is happy to announce the discovery of multiple bugs > in /bin/gzip, which can be exploited remotely with a bit of creativ- > ity. Attached is our advisory on the matter. > > Enjoy the knowledge and remember to use it responsible. > > The GOBBLES Team > www.bugtraq.org > > (See attached file: gzip-advisory.txt) FreeBSD (don't know for others BSDs) does not have the same 1.2.4 version as one can found on www.gzip.org site. It seems they've audited the code, and corrected some bugs (maybe the code was audited by OpenBSD team, then FreeBSD team adopted it, I don't know). So, by comparing the code of downloaded file gzip-1.2.4.tar.gz from www.gzip.org against sources of gzip found on a FreeBSD 4.4-RELEASE system, we can see the diff as follows: freebsd$ diff gzip-1.2.4/gzip.c /usr/src/gnu/usr.bin/gzip/gzip.c 42c42 < * too heavily. There is no ideal solution given the MSDOS 8+3 limitation. --- > * too heavily. There is no ideal solution given the MSDOS 8+3 limitation. 48c48 < static char rcsid[] = "$Id: gzip.c,v 0.24 1993/06/24 10:52:07 jloup Exp $"; --- > static char rcsid[] = "$FreeBSD: src/gnu/usr.bin/gzip/gzip.c,v 1.10 1999/08/27 23:35:50 peter Exp $"; 524c524,530 < strcpy(z_suffix, optarg); --- > if (z_len > sizeof(z_suffix)-1) { > fprintf(stderr, "%s: -S suffix too long\n", progname); > usage(); > do_exit(ERROR); > } > strncpy(z_suffix, optarg, sizeof z_suffix-1); > z_suffix[sizeof z_suffix-1] = '\0'; 807c813 < fprintf(stderr, "%s:\t%s", ifname, (int)strlen(ifname) >= 15 ? --- > fprintf(stderr, "%s:\t%s", ifname, (int)strlen(ifname) >= 15 ? 1008a1015,1021 > if (strlen(iname) >= sizeof(ifname) - 3) { > errno = ENAMETOOLONG; > perror(iname); > exit_code = ERROR; > return ERROR; > } > 1576d1588 < (void) chmod(ofname, 0777); 1636d1647 < (void) chmod(ifname, 0777); 1657c1668 < --- > 1678c1689 < --- > The problem with validation on path name is not present in any of those two versions, cause there is a validation :), and it comes as follows: len = strlen(dir); if (len + NLENGTH(dp) + 1 < MAX_PATH_LEN - 1) { strcpy(nbuf,dir); #ifdef PATH_SEP2 && dir[len-1] != PATH_SEP2 #endif #ifdef PATH_SEP3 && dir[len-1] != PATH_SEP3 #endif ) { nbuf[len++] = PATH_SEP; } strcpy(nbuf+len, dp->d_name); treat_file(nbuf); } else { fprintf(stderr,"%s: %s/%s: pathname too long\n", progname, dir, dp->d_name); exit_code = ERROR; } So, the problem with buffer validation for the file name is not present in 1.2.4 version, but we can see that there is another buffer validation problem with the -S parameter in the non-audited version ( strcpy(z_suffix, optarg); ). Here is a try to exploit it, on Linux, with the non-audited version: linux$ gzip -S `perl -e 'print "A" x 2048'` gzip: incorrect suffix '(null)' And with the audited version on FreeBSD: freebsd$ gzip -S `perl -e 'print "A" x 2048'` gzip: -S suffix too long usage: gzip [-cdfhlLnNrtvV19] [-S suffix] [file ...] I hope informations provided here will help somebody. ========================================================== FreeBSD Network - http://www.gomor.org/ Security Engineer Junior ========================================================== =-----=> root is the only God I believe in <=-----=
This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 11:09:07 PST