- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - TEAM PWN4GE Security Advisory PWNED - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: HIGH Title: TAR: Local root exploit using Tar Date: February 02, 2005 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== An evil malicious, vile, disgusting, atrocious vulnerability has been found to exist on Unix based machines with the tar binary. Background ========== TAR is a Unix based tool used to compress files. It is nowhere near as functional or useable as WinZip, but nevertheless Unix users need love too, Affected versions ================= All versions of Unix based variants using TAR can be pwn0rf13d. Description =========== Shotgun Willie of TEAM PWN4G3 discovered that an unobservant (l)user can extract the contents of a tarball overwriting his shadow (or for) those "others", master.passwd files leading to maximum pwn4ge. Proof of Concept ================ # tar -cf parishiltonpr0n.tar /etc/shadow # mv /path/to/htdocs/parishiltonpr0n.tar # ssh [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Last login: Wed Feb 2 14:48:41 2005 from sec.msft.com Sun Microsystems Inc. SunOS 5.10 PWN4GEKERNEL Jan 2005 You have mail. $ wget www.(PROTECTEDSITENAME).net/parishiltonpr0n.tar --15:42:02-- http://www.(PROTECTEDSITENAME).net/parishiltonpr0n.tar => `parishiltonpr0n.tar' Resolving www.(PROTECTEDSITENAME).net... done. Connecting to www.(PROTECTEDSITENAME).net[198.81.129.100]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1,163 [application/x-tar] 100%[=================================================================================>] 1,163 1.11M/s ETA 00:00 15:42:02 (1.11 MB/s) - `rechecker.tar.gz' saved [1163/1163] $ echo "w00t" $ tar -xvf parishiltonpr0n.tar tar: blocksize = 8 x /etc/shadow, 1100 bytes, 5 tape blocks # echo "pwn3d d4t 3ss sux0r!@ h0 h0 h0" Impact ====== All your nix belong to us. Workaround ========== On your shell: rm `which tar` & echo "Security is glorious amen" Concerns? ========= Security is a primary focus of TEAM PWN4GE and ensuring the progress of a secure Interweb be our dreams and visions. As security concerns should be addressed to respective vendors, we feel the urge to bypass standards and bring our common dreams of a secure homeland to the Interweb. License ======= Copyright 2005 TEAM PWN4GE The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 -- _______________________________________________ Outgun.com free e-mail @ www.outgun.com Check out our Premium services - POP3 downloading, e-mail forwarding, and 25MB mailboxes! Powered by Outblaze _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html