Full Disclosure mailing list archives
Re: GNU tar directory traversal
From: Gouki <Gouki () GoukiHQ org>
Date: Wed, 22 Nov 2006 02:30:59 +0000
Jeb, even so, I don't think 'LOLOLOLOL' is the best way to let Teemu know that. I personally would not like this kind of attitude. Don't take this the wrong way, I just didn't like this behavior on a list like this. Take care. Regards, Gouki On Wed, 2006-11-22 at 07:45 +0530, Jeb Osama wrote:
From: Teemu Salmela <teemu.salmela () iki fi > GNU tar directory traversal ---------------------------------------------------------------------------- What is it? When i download a tar file (warez.tar.gz in this example) from the web and run the following commands: $ mkdir ~/warez $ tar xzf warez.tar.gz -C ~/warez , then i would expect that tar doesn't create or replace any files outside the ~/warez directory. Today, i was browsing the GNU tar source code trying to find a way to create/overwrite arbitrary files, and i found it! Normal tar symlinks/hardlinks are handled correctly in GNU tar (i think), but there is one tar record type, called GNUTYPE_NAMES (this is some kind of GNU extension, i think), that allows me to create symbolic links (inside the ~/warez directory, in this example) pointing to arbitrary locations in the filesystem. In the exploit, i make a sybolic link called "xyz", pointing to "/". After that record, more records would follow that extract files to the "xyz" directory. Version numbers: ---------------------------------------------------------------------------- I tested this on Ubuntu 6.06 LTS, GNU tar 1.16 and GNU tar 1.15.1 (this one comes with Ubuntu) Vulnerable code: ---------------------------------------------------------------------------- See extract_archive() in extract.c and extract_mangle() in mangle.c. Exploit: ---------------------------------------------------------------------------- [snip tEh C code] -- fscanf(socket,"%s",buf); printf(buf); sprintf(query, "SELECT %s FROM table", buf); sprintf(cmd, "echo %s | sqlquery", query); system(cmd); Teemu Salmela ---------------------------------------------------------------------------- LOLOLOLOLOLOLOLOLOL Thats pretty much the purpose of symlinks.. Whats your point in posting this fact in FD? Jeb _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- *//================================================================= .-. Fingerprint: 4B36 0BC2 82CE 6858 4893 7132 BC98 A7E4 3482 BA17 /v\ Size / Type: 1024/DSA // \\ Availability: MIT's PKS - pgp.mit.edu /( )\ Homepage: GoukiHQ.org ^^-^^ |PHEAR THE PENGUIN| *//=================================================================
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- GNU tar directory traversal Teemu Salmela (Nov 21)
- <Possible follow-ups>
- Re: GNU tar directory traversal Jeb Osama (Nov 21)
- Re: GNU tar directory traversal Gouki (Nov 21)
- Re: GNU tar directory traversal Teemu Salmela (Nov 22)
- Re: GNU tar directory traversal Siim Põder (Nov 22)
- Re: GNU tar directory traversal Teemu Salmela (Nov 22)
- Re: GNU tar directory traversal virus (Nov 22)
- Re: GNU tar directory traversal Siim Põder (Nov 22)
- Re: GNU tar directory traversal virus (Nov 22)
- Re: GNU tar directory traversal Siim Põder (Nov 22)
- Re: GNU tar directory traversal virus (Nov 23)
- Re: GNU tar directory traversal virus (Nov 23)