Re: cpio privilege escalation vulnerability via setuid files in cpio archive

[Georgi Guninski <gguninski () gmail com>]

On Tue, Jan 9, 2024 at 12:45 AM Harry Sintonen <harry () sintonen fi> wrote:
> On Mon, 8 Jan 2024, Georgi Guninski wrote:
>
> > When extracting archives cpio (at least version 2.13) preserves
> > the setuid flag, which might lead to privilege escalation.
>
> So does for example tar. The same rules that apply to tar also apply to
> cpio:


Hi, thanks for the feedback :)

Which version of tar is vulnerable to this attack? I am pretty sure
this was fixed in tar and zip `long long` ago.

tar and zip on fedora 38 are definitely not vulnerable, they clear
the setuid bit.

I continue to suspect this is vulnerability because:
1. There is directory traversal protection for untrusted archives
2. tar and zip and not vulnerable

bash script for setuid files in tar:


#!/bin/bash

mkdir -p /tmp/1 ; cd /tmp/1 ; :> a
chmod 4755 a ; tar cvf a.tar a
mkdir -p /tmp/2 ; cd /tmp/2 ; tar xvf /tmp/1/a.tar
ls -lh /tmp/1/a
#-rwsr-xr-x. 1 joro joro 0 Jan  9 06:13 /tmp/1/a #original setuid
ls -lh /tmp/2/a
#-rwxr-xr-x. 1 joro joro 0 Jan  9 06:13 /tmp/2/a #NOT setuid
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/