Greetings! On Thu, 03 Feb 2005 04:32:08 +0800 "Team Pwnge" <[EMAIL PROTECTED]> wrote: > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > - TEAM PWN4GE Security Advisory > PWNED - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Severity: HIGH > Title: TAR: Local root exploit using Tar > Date: February 02, 2005 > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
...is not reproducible. PoC fails in several steps. > Proof of Concept > ================ > > # tar -cf parishiltonpr0n.tar /etc/shadow Chmod for /etc/shadow must be set to 600 by design. So tar fails as expected with "tar: /etc/shadow: Cannot open: Permission denied" Okay, for completeness' sake, continuing with a 644'ed /etc/shadow, just in case. > $ tar -xvf parishiltonpr0n.tar > tar: blocksize = 8 > x /etc/shadow, 1100 bytes, 5 tape blocks Permission problem here as well - tar fails with "tar: shadow: Cannot open: File exists" So the attack only is successful if you have your permissions of /etc/shadow set to 666 or similar, which is an evil thing (sorry for the pun). If the password file is world-writable anyway you don't even need the way 'round with tar and HTTP transfer - simply set your own passwords for anyone you would like to - VI or EMACS is all you need in this case. Similar if /etc/ itself is set to 777. Alternatively the TAR binary might be SUID'ed, which is A Bad Idea(TM), too - which are all SUID'ed programs that can write to arbitrary locations... So the problem is not TAR, but the "cracked" wide-open system, that was misconfigured against all defaults and standards. Bye Volker -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- [EMAIL PROTECTED] PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html