Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

potencial bug in tar and gtar

From: Ehud Tenenbaum <analyzer () 2xss com>
Date: Thu, 21 Feb 2002 04:48:33 +0200
Hey,

2xs Security team spotted a security risk in tar / gtar,
although tar / gtar are not suid in linux (most probably
all of the OS) yet alot of scripts using it to do automatic
back ups etc..

to the details:

[test@TestZone BOS]$ id
uid=500(test) gid=500(test) groups=500(test)
[test@TestZone BOS]$ gdb /bin/tar
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...(no debugging symbols
found)...
(gdb) r -c `perl -e'print "A" x 8192'` -G `perl -e'print "A" x 8192'`
Starting program: /bin/tar -c `perl -e'print "A" x 8192'` -G `perl
-e'print "A" x 8192'`
/bin/bash: /root/.bashrc: Permission denied
alot of AAAAAAA..... : Cannot stat: File name too long
 
Program received signal SIGSEGV, Segmentation fault.
0x400760e4 in chunk_free (ar_ptr=0x4010ad60, p=0x8071488) at
malloc.c:3100
3100    malloc.c: No such file or directory.

(gdb) where
#0  0x400760e4 in chunk_free (ar_ptr=0x4010ad60, p=0x8071488) at
malloc.c:3100
#1  0x40075fba in __libc_free (mem=0x8071490) at malloc.c:3023
#2  0x805049f in strcpy () at ../sysdeps/generic/strcpy.c:30
#3  0x805c9a5 in strcpy () at ../sysdeps/generic/strcpy.c:30
#4  0x400349cb in __libc_start_main (main=0x805c86c <strcpy+76592>,
argc=5, argv=0xbfff9b54,
    init=0x804960c, fini=0x80641fc <__umoddi3+604>, rtld_fini=0x4000ae60
<_dl_fini>,
    stack_end=0xbfff9b4c) at ../sysdeps/generic/libc-start.c:92

(gdb) info registers
eax            0x1009   4105
ecx            0x41414140       1094795584
edx            0x8071488        134681736
ebx            0x4010c1ec       1074840044
esp            0xbfff9aac       -1073767764
ebp            0xbfff9ad0       -1073767728
esi            0x8072490        134685840
edi            0x8071488        134681736
eip            0x400760e4       1074225380
eflags         0x10202  66050
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
cwd            0xffff037f       -64641
swd            0xffff0000       -65536
twd            0x0      0
fip            0x8094c93        134827155
fcs            0x23     35
fopo           0x80e6510        135161104
fos            0x2b     43
(gdb)

This bug has alot of other flags as well (as long -c among them)
For more information please contact:

Ehud Tenenbaum <analyzer () 2xss com> CTO & Project manager.
Izik Kotler <izik () 2xss com> Senior programmer.
Mixter <mixter () 2xss com> Senior programmer.
acz <acz () 2xss com> Programmer/QA tester.

No exploit at this moment.
Bug confirmed on redhat 6.2/slackware 7.1/ mandrak 8.0

2xs Security Team.


-- 
------------
Ehud Tenenbaum
C.T.O & Project Manager 
2xs LTD. 
Tel: 972-9-9519980
Fax: 972-9-9519982
E-Mail: ehud () 2xss com
------------ 
                                 Have A Safe Day
Previous By Date Next
Previous By Thread Next

Current thread: