[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-cpio] [PATCH] Check for size overflow in tar header fields
From: |
Thomas ☃ Habets |
Subject: |
Re: [Bug-cpio] [PATCH] Check for size overflow in tar header fields |
Date: |
Thu, 17 Oct 2019 14:22:18 +0100 |
On Mon, 30 Sep 2019 at 10:52, Thomas ☃ Habets <address@hidden> wrote:
> On Fri, 30 Aug 2019 at 16:54, Thomas ☃ Habets <address@hidden> wrote:
> > Check for size overflow in tar header fields.
> >
> > This prevents surprising outputs being created, e.g. this cpio tar
> > output with more than one file:
> >
> > tar cf suffix.tar AUTHORS
> > dd if=/dev/zero seek=16G bs=1 count=0 of=suffix.tar
> > echo suffix.tar | cpio -H tar -o | tar tvf -
> >
> > -rw-r--r-- 1000/1000 0 2019-08-30 16:40 suffix.tar
> > -rw-r--r-- thomas/thomas 161 2019-08-30 16:40 AUTHORS
> >
> > Patch attached, but also at https://cement.retrofitta.se/tmp/cpio-tar.patch
> Anyone looking at this? I think this is actually a security issue.
Here's perhaps a clearer description of why it's a security issue:
1) Prep payload
evil$ ls /home/evil
evil$ ./generate_evil_data > /home/evil/foo.tar # (can have any
name, not just .tar)
2) root user performs backup
root# find /home -print0 | cpio -H tar -o > /var/backup/h.tar
3) root user restores
root# cd /
root# tar xf /var/backup/h.tar /home/evil/
4) evil user uses newly created rootshell, or writes to /dev/sda
evil$ ls -l /home/evil/
srwxr-xr-x 1 evil evil 61176 Aug 3 2018 /home/evil/rootshell
brw-rw---- 1 evil evil 8, 0 Oct 7 11:21 /home/evil/sda-pwned
evil$ /home/evil/rootshell
--
☢ Thomas ☢
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Bug-cpio] [PATCH] Check for size overflow in tar header fields,
Thomas ☃ Habets <=