oss-sec mailing list archives

Directory traversals in cpio and friends?

From: Alexander Cherepanov <cherepan () mccme ru>
Date: Thu, 08 Jan 2015 02:43:27 +0300

Hi!

I've taken a look at how dir traversals are dealt with in severalimplementations of tar and cpio. The picture is kinda strange.

First of all, I believe it's usually agreed that archivers must nottouch files outside the current directory by default. Is there anauthoritative link for this?

Then, it seems there are 3 main ways to exploit dir traversals inthrough archives:


1) via absolute paths, the column 'abs' below;

2) via relative paths with '..', the column 'rel' below;

3) via symlinks to directories, the column 'link' below.

Software:

1) GNU tar and cpio, called 'tar' and 'cpio' below, tested versions fromDebian jessie and git head;

2) BSD tar and cpio (based on libarchive), called 'bsdtar' and 'bsdcpio'below, tested versions from Debian jessie and git head;

3) OpenBSD-derived(?) pax, with tools called 'paxtar', 'paxcpio' and'pax' below, tested versions from Debian jessie and FreeBSD10.0-RELEASE-p12.

The results of tests of tar and cpio archives against various commandsfollow. '=' means that the corresponding file is not extracted, 'x'means that it is extracted. IMHO secure configuration should list three'=', insecure configuration should list three 'x', everything else isinconsistent. The list created by the attached scripts.


=== tar ===
abs     rel     link    cmd
=       =       =       tar -x
x       x       x       tar -x -P
=       =       =       bsdtar -x
x       x       x       bsdtar -x -P
=       x       x       paxtar -x
x       x       x       paxtar -x -P
x       x       x       pax -r

=== cpio ===
abs     rel     link    cmd
x       x       x       cpio -i
=       =       x       cpio -i --no-absolute-filenames
x       =       =       bsdcpio -i
x       x       x       bsdcpio -i --insecure
x       x       x       paxcpio -i

tar and bsdtar are ok. Good. But not much.

Question 1. Perhaps there are some reasons why all cpio variants (unliketar) extract files with absolute paths by default?

Question 2. BSD folks which are behind pax* tools don't considerdirectory traversal a vulnerability, do they?

The only 'x' in the line for `cpio -i --no-absolute-filenames` seems tobe a clear vuln. Reported here: https://bugs.debian.org/774669 and nowsent to upstream ml.


--
Alexander Cherepanov

Attachment: test-tar-1.sh.txt
Description:

Attachment: test-tar-all.sh.txt
Description:

Current thread:

Directory traversals in cpio and friends? Alexander Cherepanov (Jan 07)
- Re: Directory traversals in cpio and friends? Florian Weimer (Jan 08)
  - Re: Directory traversals in cpio and friends? Alexander Cherepanov (Jan 10)
- Re: Directory traversals in cpio and friends? Jakub Wilk (Jan 09)