Full Disclosure mailing list archives
Re: cpio privilege escalation vulnerability via setuid files in cpio archive
From: fulldisclosure <fulldisclosure () evolution-hosting eu>
Date: Wed, 10 Jan 2024 12:11:41 +0100
Am 08.01.24 um 10:25 schrieb Georgi Guninski:
One example is r00t extracts to/tmp/ and scidiot runs /tmp/micq/backd00r without further interaction from root. We believe this is vulnerability, since directory traversal in cpio is considered vulnerability.
It's not a vulnerability, asa) cpio archives must archive that flag as cpio is part of RPM packages and those must be able to contain setuid flags. Otherwise, you would need to add chmod u+s cmds to any %POST section. Breaking this, would invalidate so many existing packages => won't happen
note: initramfs makes use of cpio as well, but setuid is not needed here, as it's already running as root
b) it's not cpio's fault, if roidiot unpacks (insecure) archives as root to "public" available places.
c) If you consider "keeping the file flags intact" a vulnerability, you would also consider TAR as vulnerable:
as root: # cd /tmp/ # touch setuid.sh # chmod u+srwx setuid.sh # tar cv setuid.sh | tar x -C tmp/ setuid.sh # ls -ls tmp/ insgesamt 0 0 -rwsr--r--. 1 root root 0 10. Jan 11:55 setuid.shYou could not backup your system correctly anymore, if TAR would change this, as setuid files could be valid for your system.
The archivsofware isn't the issue here, as it's neutral technology. In this case, the admin has to keep this in mind and not unpack a potential risky piece of software to a user available place.
best regards, Marius Schwarz _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- cpio privilege escalation vulnerability via setuid files in cpio archive Georgi Guninski (Jan 08)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive fulldisclosure (Jan 14)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive Harry Sintonen via Fulldisclosure (Jan 14)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive Georgi Guninski (Jan 14)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive Harry Sintonen via Fulldisclosure (Jan 14)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive Georgi Guninski (Jan 14)