Full Disclosure mailing list archives
Re: GNU tar directory traversal
From: "Jeb Osama" <mkmaxx () gmail com>
Date: Wed, 22 Nov 2006 07:45:19 +0530
From: Teemu Salmela <teemu.salmela () iki fi> GNU tar directory traversal ---------------------------------------------------------------------------- What is it? When i download a tar file (warez.tar.gz in this example) from the web and run the following commands: $ mkdir ~/warez $ tar xzf warez.tar.gz -C ~/warez , then i would expect that tar doesn't create or replace any files outside the ~/warez directory. Today, i was browsing the GNU tar source code trying to find a way to create/overwrite arbitrary files, and i found it! Normal tar symlinks/hardlinks are handled correctly in GNU tar (i think), but there is one tar record type, called GNUTYPE_NAMES (this is some kind of GNU extension, i think), that allows me to create symbolic links (inside the ~/warez directory, in this example) pointing to arbitrary locations in the filesystem. In the exploit, i make a sybolic link called "xyz", pointing to "/". After that record, more records would follow that extract files to the "xyz" directory. Version numbers: ---------------------------------------------------------------------------- I tested this on Ubuntu 6.06 LTS, GNU tar 1.16 and GNU tar 1.15.1 (this one comes with Ubuntu) Vulnerable code: ---------------------------------------------------------------------------- See extract_archive() in extract.c and extract_mangle() in mangle.c. Exploit: ---------------------------------------------------------------------------- [snip tEh C code] -- fscanf(socket,"%s",buf); printf(buf); sprintf(query, "SELECT %s FROM table", buf); sprintf(cmd, "echo %s | sqlquery", query); system(cmd); Teemu Salmela ----------------------------------------------------------------------------
LOLOLOLOLOLOLOLOLOL Thats pretty much the purpose of symlinks.. Whats your point in posting this fact in FD? Jeb
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- GNU tar directory traversal Teemu Salmela (Nov 21)
- <Possible follow-ups>
- Re: GNU tar directory traversal Jeb Osama (Nov 21)
- Re: GNU tar directory traversal Gouki (Nov 21)
- Re: GNU tar directory traversal Teemu Salmela (Nov 22)
- Re: GNU tar directory traversal Siim Põder (Nov 22)
- Re: GNU tar directory traversal Teemu Salmela (Nov 22)
- Re: GNU tar directory traversal virus (Nov 22)
- Re: GNU tar directory traversal Siim Põder (Nov 22)
- Re: GNU tar directory traversal virus (Nov 22)
- Re: GNU tar directory traversal Siim Põder (Nov 22)
- Re: GNU tar directory traversal virus (Nov 23)
- Re: GNU tar directory traversal virus (Nov 23)