bug-cpio
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-cpio] [PATCH] Check for size overflow in tar header fields


From: Thomas ☃ Habets
Subject: Re: [Bug-cpio] [PATCH] Check for size overflow in tar header fields
Date: Thu, 17 Oct 2019 14:22:18 +0100

On Mon, 30 Sep 2019 at 10:52, Thomas ☃ Habets <address@hidden> wrote:
> On Fri, 30 Aug 2019 at 16:54, Thomas ☃ Habets <address@hidden> wrote:
> >     Check for size overflow in tar header fields.
> >
> >     This prevents surprising outputs being created, e.g. this cpio tar
> >     output with more than one file:
> >
> >     tar cf suffix.tar AUTHORS
> >     dd if=/dev/zero seek=16G bs=1 count=0 of=suffix.tar
> >     echo suffix.tar | cpio -H tar -o | tar tvf -
> >
> >     -rw-r--r-- 1000/1000       0 2019-08-30 16:40 suffix.tar
> >     -rw-r--r-- thomas/thomas 161 2019-08-30 16:40 AUTHORS
> >
> > Patch attached, but also at https://cement.retrofitta.se/tmp/cpio-tar.patch
> Anyone looking at this? I think this is actually a security issue.

Here's perhaps a clearer description of why it's a security issue:

1) Prep payload
evil$ ls /home/evil
evil$ ./generate_evil_data > /home/evil/foo.tar   # (can have any
name, not just .tar)

2) root user performs backup
root# find /home -print0 | cpio -H tar -o > /var/backup/h.tar

3) root user restores
root# cd /
root# tar xf /var/backup/h.tar /home/evil/

4) evil user uses newly created rootshell, or writes to /dev/sda
evil$ ls -l /home/evil/
srwxr-xr-x 1 evil evil 61176 Aug  3  2018 /home/evil/rootshell
brw-rw---- 1 evil evil 8, 0 Oct  7 11:21 /home/evil/sda-pwned
evil$ /home/evil/rootshell

--
☢ Thomas ☢



reply via email to

[Prev in Thread] Current Thread [Next in Thread]