Re: [Full-disclosure] GNU tar directory traversal
Hello, [EMAIL PROTECTED] wrote: > no. Not agreed. -C is for changing the directory *before processing the > remaining arguments*. So, if you don't want tar to overwrite files, you > have to use -w. Siim was right, -w is a workaround. Therefore it is - in opposite to my former opinion - a security issue. Sorry for the noise. GTi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GNU tar directory traversal
Hello, Siim Põder wrote: > But not outside cwd or another directory specified by the -C option. > Agreed? Great. no. Not agreed. -C is for changing the directory *before processing the remaining arguments*. So, if you don't want tar to overwrite files, you have to use -w. GTi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GNU tar directory traversal
Jeb, even so, I don't think 'LOLOLOLOL' is the best way to let Teemu know that. I personally would not like this kind of attitude. Don't take this the wrong way, I just didn't like this behavior on a list like this. Take care. Regards, Gouki Bah.. You give a troll too much respect. Filter me, Jeb ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GNU tar directory traversal
Yo! [EMAIL PROTECTED] wrote: > Siim Põder wrote: >> That has little to do with the actual vulnerability, hasn't it? It's a >> possible workaround though, so that's great. > that's not a workaround. tar is supposed to overwrite files. If you > don't want that behavior, use "-w". But not outside cwd or another directory specified by the -C option. Agreed? Great. Siim Põder ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GNU tar directory traversal
Hello, Siim Põder wrote: > That has little to do with the actual vulnerability, hasn't it? It's a > possible workaround though, so that's great. that's not a workaround. tar is supposed to overwrite files. If you don't want that behavior, use "-w". >>> Discussing wether root should ever run tar is irrelevant. >> Agreed, the discussion whether root should *run* tar or not is > I specifically said I didn't want to discuss this Yeah. So don't comment my comments... GTi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GNU tar directory traversal
Yo! [EMAIL PROTECTED] wrote: > Siim Põder wrote: >> So, for example, I make a tar archieve that contains a symlink to >> 'bla'->'/etc' and 'bla/passwd', that - if opened by root - would >> overwrite the passwd file. > > right from the man page: A confirmation is needed if -w is used. That has little to do with the actual vulnerability, hasn't it? It's a possible workaround though, so that's great. >> Discussing wether root should ever run tar is irrelevant. > Agreed, the discussion whether root should *run* tar or not is > irrelevant. One shouldn't *trust* tar files from unknown/untrusted > sources, root or not. I specifically said I didn't want to discuss this (or any variants thereof, which i failed to explicitly bring out) as this has nothing to do with the vulnerability. I know I shouldn't do it just as you know it and just as everyone else knows it - no reason for discussion. Siim Põder ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GNU tar directory traversal
Hello, Siim Põder wrote: > So, for example, I make a tar archieve that contains a symlink to > 'bla'->'/etc' and 'bla/passwd', that - if opened by root - would > overwrite the passwd file. right from the man page: A confirmation is needed if -w is used. > Discussing wether root should ever run tar is irrelevant. Agreed, the discussion whether root should *run* tar or not is irrelevant. One shouldn't *trust* tar files from unknown/untrusted sources, root or not. GTi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GNU tar directory traversal
Siim Põder wrote: > And is tar supposed to overwrite arbitrary files on the filesystem when > untaring an archieve? > > If I understand Teemu right, then he's found a way to create a tar file > that would create a symlink when untared; and create further files to > wherever the symlink points to (If this is not the case, then > LOLOLOLOLOLOL might be in order). > > So, for example, I make a tar archieve that contains a symlink to > 'bla'->'/etc' and 'bla/passwd', that - if opened by root - would > overwrite the passwd file. > Yes, this is how it works. -- fscanf(socket,"%s",buf); printf(buf); sprintf(query, "SELECT %s FROM table", buf); sprintf(cmd, "echo %s | sqlquery", query); system(cmd); Teemu Salmela ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GNU tar directory traversal
Yo! Jeb Osama wrote: > LOLOLOLOLOLOLOLOLOL Thats pretty much the purpose of symlinks.. Whats > your point in posting this fact in FD? And is tar supposed to overwrite arbitrary files on the filesystem when untaring an archieve? If I understand Teemu right, then he's found a way to create a tar file that would create a symlink when untared; and create further files to wherever the symlink points to (If this is not the case, then LOLOLOLOLOLOL might be in order). So, for example, I make a tar archieve that contains a symlink to 'bla'->'/etc' and 'bla/passwd', that - if opened by root - would overwrite the passwd file. Discussing wether root should ever run tar is irrelevant. Siim Põder ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GNU tar directory traversal
Jeb Osama wrote: > > LOLOLOLOLOLOLOLOLOL > Thats pretty much the purpose of symlinks.. Whats your point in > posting this fact in FD? I tried to say that you shouldn't extract tar archives that come from someone you don't trust. If you extract an untrusted tar archive (for example, download it from the web, or receive it as a e-mail attachment) as root it's as bad as running an untrusted program as root because the tar archive could replace any file (/bin/ls, /bin/bash, the kernel, etc) in the system. Even the coders of tar would realize this is a security risk. I know this because , in the tar code, they really try to make it impossible to extract files outside the "extraction directory". -- fscanf(socket,"%s",buf); printf(buf); sprintf(query, "SELECT %s FROM table", buf); sprintf(cmd, "echo %s | sqlquery", query); system(cmd); Teemu Salmela ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GNU tar directory traversal
Jeb, even so, I don't think 'LOLOLOLOL' is the best way to let Teemu know that. I personally would not like this kind of attitude. Don't take this the wrong way, I just didn't like this behavior on a list like this. Take care. Regards, Gouki On Wed, 2006-11-22 at 07:45 +0530, Jeb Osama wrote: > > From: Teemu Salmela <[EMAIL PROTECTED] > > > > GNU tar directory traversal > > > What is it? > When i download a tar file (warez.tar.gz in this example) from > the web and > run the following commands: > > $ mkdir ~/warez > $ tar xzf warez.tar.gz -C ~/warez > > , then i would expect that tar doesn't create or replace any > files outside > the ~/warez directory. Today, i was browsing the GNU tar > source code trying > to find a way to create/overwrite arbitrary files, and i found > it! > > Normal tar symlinks/hardlinks are handled correctly in GNU tar > (i think), > but there is one tar record type, called GNUTYPE_NAMES (this > is some kind > of GNU extension, i think), that allows me to create symbolic > links > (inside the ~/warez directory, in this example) pointing to > arbitrary > locations in the filesystem. In the exploit, i make a sybolic > link called > "xyz", pointing to "/". After that record, more records would > follow > that extract files to the "xyz" directory. > > Version numbers: > > > I tested this on Ubuntu 6.06 LTS, GNU tar 1.16 and GNU tar > 1.15.1 (this one > comes with Ubuntu) > > Vulnerable code: > > > See extract_archive() in extract.c and extract_mangle() in > mangle.c. > > Exploit: > > > [snip tEh C code] > -- > fscanf(socket,"%s",buf); printf(buf); > sprintf(query, "SELECT %s FROM table", buf); > sprintf(cmd, "echo %s | sqlquery", query); system(cmd); > Teemu Salmela > > > > > LOLOLOLOLOLOLOLOLOL > Thats pretty much the purpose of symlinks.. Whats your point in > posting this fact in FD? > > Jeb > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- *//= .-. Fingerprint: 4B36 0BC2 82CE 6858 4893 7132 BC98 A7E4 3482 BA17 /v\ Size / Type: 1024/DSA // \\ Availability: MIT's PKS - pgp.mit.edu /( )\ Homepage: GoukiHQ.org ^^-^^|PHEAR THE PENGUIN| *//= signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GNU tar directory traversal
From: Teemu Salmela <[EMAIL PROTECTED]> GNU tar directory traversal What is it? When i download a tar file (warez.tar.gz in this example) from the web and run the following commands: $ mkdir ~/warez $ tar xzf warez.tar.gz -C ~/warez , then i would expect that tar doesn't create or replace any files outside the ~/warez directory. Today, i was browsing the GNU tar source code trying to find a way to create/overwrite arbitrary files, and i found it! Normal tar symlinks/hardlinks are handled correctly in GNU tar (i think), but there is one tar record type, called GNUTYPE_NAMES (this is some kind of GNU extension, i think), that allows me to create symbolic links (inside the ~/warez directory, in this example) pointing to arbitrary locations in the filesystem. In the exploit, i make a sybolic link called "xyz", pointing to "/". After that record, more records would follow that extract files to the "xyz" directory. Version numbers: I tested this on Ubuntu 6.06 LTS, GNU tar 1.16 and GNU tar 1.15.1 (this one comes with Ubuntu) Vulnerable code: See extract_archive() in extract.c and extract_mangle() in mangle.c. Exploit: [snip tEh C code] -- fscanf(socket,"%s",buf); printf(buf); sprintf(query, "SELECT %s FROM table", buf); sprintf(cmd, "echo %s | sqlquery", query); system(cmd); Teemu Salmela LOLOLOLOLOLOLOLOLOL Thats pretty much the purpose of symlinks.. Whats your point in posting this fact in FD? Jeb ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
