From owner-freebsd-security Tue Oct 1 16:31: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56E1437B401 for ; Tue, 1 Oct 2002 16:30:58 -0700 (PDT) Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F8C343E77 for ; Tue, 1 Oct 2002 16:30:57 -0700 (PDT) (envelope-from dl-freebsd@catspoiler.org) Received: from mousie.catspoiler.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.12.5/8.12.5) with ESMTP id g91NUbvU014409; Tue, 1 Oct 2002 16:30:41 -0700 (PDT) (envelope-from dl-freebsd@catspoiler.org) Message-Id: <200210012330.g91NUbvU014409@gw.catspoiler.org> Date: Tue, 1 Oct 2002 16:30:37 -0700 (PDT) From: Don Lewis Subject: Re: RE: Is FreeBSD's tar susceptible to this? To: jan@caustic.org Cc: brett@lariat.org, kris@obsecurity.org, dillon@apollo.backplane.com, piechota@argolis.org, aaron@namba1.com, security@FreeBSD.ORG In-Reply-To: <20021001155652.S67581-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 1 Oct, f.johan.beisser wrote: > On Tue, 1 Oct 2002, Don Lewis wrote: > >> What if the tarball installs a symlink to / under the current directory >> followed by files that are unpacked underneath the symlink name? A >> simple fix for the initial problem mentioned in this thread isn't >> sufficient. > > i don't believe that tar(1) will allow you to do that by default. I don't have an easy way of creating a malicious tarball to do this all in one shot, but it does look like our tar follows symlinks. > mkdir foo > touch foo/bar > tar cvf foo.tar foo/bar foo/bar > rm -r foo > mkdir baz > ln -s baz foo > tar xvf foo.tar foo/bar > ls -l baz total 0 -rw-r--r-- 1 dl dl 0 Oct 1 16:17 bar > i know for a fact that OpenBSD won't do it by default, you have to specify > that you want it to follow symlinks: > > -L Follow all symlinks. In extract mode this means that a di- > rectory entry in the archive will not overwrite an existing > symbolic link, but rather what the link ultimately points > to. Our -L option does something entirely different, which is odd since I got the impression from the comments made in this thread that both FreeBSD and OpenBSD are both using gtar. I also don't think the -L option described above (or the lack of it's use) does anything to help the problem. If there is a symbolic link named "foo" in the filesystem and the tarball contains a directory named "foo", then it sounds like the symlink will be removed and replaced with a directory if the "-L" option is not used, and the directory will be created at the target of the symlink if the "-L" option is used. It doesn't seem to say anything about what is done if there is no "foo" directory in the tarball, but the tarball contains a "foo/bar" file. The only safe way of preventing symlinks from being followed would be to lstat() each component of each path name in the tarball (which is still not safe if there is a hostile process running that could substitute a symlink for something that has already been checked). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message