Full Disclosure mailing list archives
Re: UNIX Tar Security Advisory from TEAM PWN4GE
From: Volker Tanger <vtlists () wyae de>
Date: Wed, 2 Feb 2005 23:18:12 +0100
Greetings! On Thu, 03 Feb 2005 04:32:08 +0800 "Team Pwnge" <team_pwn4ge () outgun com> wrote:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - TEAM PWN4GE Security Advisory PWNED - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: HIGH Title: TAR: Local root exploit using Tar Date: February 02, 2005 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
...is not reproducible. PoC fails in several steps.
Proof of Concept ================ # tar -cf parishiltonpr0n.tar /etc/shadow
Chmod for /etc/shadow must be set to 600 by design. So tar fails as expected with "tar: /etc/shadow: Cannot open: Permission denied" Okay, for completeness' sake, continuing with a 644'ed /etc/shadow, just in case.
$ tar -xvf parishiltonpr0n.tar tar: blocksize = 8 x /etc/shadow, 1100 bytes, 5 tape blocks
Permission problem here as well - tar fails with "tar: shadow: Cannot open: File exists" So the attack only is successful if you have your permissions of /etc/shadow set to 666 or similar, which is an evil thing (sorry for the pun). If the password file is world-writable anyway you don't even need the way 'round with tar and HTTP transfer - simply set your own passwords for anyone you would like to - VI or EMACS is all you need in this case. Similar if /etc/ itself is set to 777. Alternatively the TAR binary might be SUID'ed, which is A Bad Idea(TM), too - which are all SUID'ed programs that can write to arbitrary locations... So the problem is not TAR, but the "cracked" wide-open system, that was misconfigured against all defaults and standards. Bye Volker -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists () wyae de PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- UNIX Tar Security Advisory from TEAM PWN4GE Team Pwnge (Feb 02)
- Re: UNIX Tar Security Advisory from TEAM PWN4GE Niek (Feb 02)
- <Possible follow-ups>
- Re: UNIX Tar Security Advisory from TEAM PWN4GE Volker Tanger (Feb 02)
- Re: UNIX Tar Security Advisory from TEAM PWN4GE Chris Howells (Feb 02)
- Re: UNIX Tar Security Advisory from TEAM PWN4GE Valdis . Kletnieks (Feb 02)