|
Vulnerability Development
mailing list archives
Re: New bugs discovered!
From: "Alex Butcher (vuln-dev)" <vulndev () cocoa demon co uk>
Date: Mon, 19 Nov 2001 01:21:01 +0000 (GMT)
[ Executive summary: this is a problem that appears to be specific to
Linux distributions using obsolete versions of gzip, including Slackware
7.1 and 8.0. Other problems *may* lurk in gzip, other distros and
therefore packages (including FTP servers) which make use of gzip. ]
On Sun, 18 Nov 2001, vuln-dev wrote:
GOBBLES security is happy to announce the discovery of multiple bugs in
/bin/gzip, which can be exploited remotely with a bit of creativity.
Attached is our advisory on the matter.
The GOBBLES Team
www.bugtraq.org
Researchers from GOBBLES SECURITY have discovered many bufferoverflow
in /bin/gzip on our Slackware 7.1 server in GOBBLES LABS.
Tested on Red Hat 7.2:
$ gzip -h
gzip 1.3
(1999-12-21)
usage: gzip [-cdfhlLnNrtvV19] [-S suffix] [file ...]
[snip]
Report bugs to <bug-gzip () gnu org>.
$ /bin/gzip `perl -e 'print "A" x 2048'`
gzip:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
:
file name too long
No segfault. :]
We could not find a contact email address for the makers of /bin/gzip
so instead we have decided to fully disclose our findings here on the
mailing lists and then we hope that the makers of /bin/gzip will read
this and then begin to start understanding the concepts of securely
programming their software so that no more systems can be comprimised by
their poor coding practices.
$ cat gzip-1.3/AUTHORS
gzip was written by Jean-loup Gailly <jloup () gzip org>,
and Mark Adler for the decompression code.
$ tail -1 gzip-1.3/TODO
Send comments to <bug-gzip () gnu org>.
and, of course the -h output.
GOBBLES thinks that experienced programmers who still let their code get
hacked by silly old stack overflows are very sad and pathetic
programmers!
*ahem*
GOBBLES () LABSLACK:/hacking/gzip$ /bin/gzip -h
gzip 1.2.4 (18 Aug 93)
^^^^^^^^^
(Actually 1.2.4a according to the Slackware 7.1 package description)
As Slackware 7.1 was released on 25 June 2000, it does seem rather sad
that *they've* chosen to include 1.2.4a when 1.3 has been available since
21 December 1999. It's even sadder that it's still not been updated in
Slackware 8.0, released 28 June 2001. :C
1.3 includes a check to make sure that the strcpy() isn't longer than
MAX_PATH_LEN - 1. There are, however, plenty of strcpy()s lurking...
Many different Unix services use gzip in different ways such as FTP
daemons who like to let users run gzip and tar on full directories so
that they can let the users download a single nice tarball instead of a
lot of unorganized files and the compression makes the transfers go
faster sometimes. The idea of researching bufferoverflows in gzip was to
find if there were any and then to see if they can be exploited from ftp
servers.
This is a legitimate concern and adminstrators of FTP servers and similar
should consider the security of any applications they tie into their
servers as well as the server and its configuration...
Best Regards,
Alex.
--
Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com
Berkshire, UK Is *your* company hiring UNIX/Security/Pen. testing folks?
PGP/GnuPG ID:0x271fd950 http://www.cocoa.demon.co.uk/cv/
 By Date 
By Thread
Current thread:
| 
Intro
