Full Disclosure mailing list archives
Re: cpio privilege escalation vulnerability via setuid files in cpio archive
From: Georgi Guninski <gguninski () gmail com>
Date: Tue, 9 Jan 2024 09:10:25 +0200
On Tue, Jan 9, 2024 at 12:45 AM Harry Sintonen <harry () sintonen fi> wrote:
On Mon, 8 Jan 2024, Georgi Guninski wrote:When extracting archives cpio (at least version 2.13) preserves the setuid flag, which might lead to privilege escalation.So does for example tar. The same rules that apply to tar also apply to cpio:
Hi, thanks for the feedback :) Which version of tar is vulnerable to this attack? I am pretty sure this was fixed in tar and zip `long long` ago. tar and zip on fedora 38 are definitely not vulnerable, they clear the setuid bit. I continue to suspect this is vulnerability because: 1. There is directory traversal protection for untrusted archives 2. tar and zip and not vulnerable bash script for setuid files in tar: #!/bin/bash mkdir -p /tmp/1 ; cd /tmp/1 ; :> a chmod 4755 a ; tar cvf a.tar a mkdir -p /tmp/2 ; cd /tmp/2 ; tar xvf /tmp/1/a.tar ls -lh /tmp/1/a #-rwsr-xr-x. 1 joro joro 0 Jan 9 06:13 /tmp/1/a #original setuid ls -lh /tmp/2/a #-rwxr-xr-x. 1 joro joro 0 Jan 9 06:13 /tmp/2/a #NOT setuid _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- cpio privilege escalation vulnerability via setuid files in cpio archive Georgi Guninski (Jan 08)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive fulldisclosure (Jan 14)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive Harry Sintonen via Fulldisclosure (Jan 14)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive Georgi Guninski (Jan 14)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive Harry Sintonen via Fulldisclosure (Jan 14)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive Georgi Guninski (Jan 14)