«
Here is a number of practical attack scenarios:
- Attack the user by replacing important files, such as
.ssh/authorized_keys, .bashrc, .bash_logout, .profile,
.subversion or .anyconnect, when they extract an tar archive.
For example:
user@host:~$ dpkg --fsys-tarfile evil.deb | tar -xf - \
--wildcards 'blurf*'
tar: Removing leading `blurf/../' from member names
user@host:~$ cat .ssh/authorized_keys
ssh-rsa AAAAB3...nU= mrrobot@fsociety
user@host:~$
- Attack automation that extracts tar originating from a web
application or similar sources. Such operation might be performed by
a setuid root component of the application. The command executed
could be for example:
#tar -C / -zxf /tmp/tmp.tgz etc/application var/chroot/application/etc
The attacker can overwrite /var/spool/cron/crontabs/root to gain code
execution as root. It is also possible to replace binaries commonly
executed by root with a backdoored ones, or to drop setuid root
binaries that will enable the attacker to gain root privileges at
will. Common attack would be to replace some network facing daemon
with backdoored one, enabling covert code execution on demand.
This type of scenario has been successfully exploited in the real
world to gain a remote code execution as root in different
environments.
- Attack commands that try to replace single files/dirs as root:
The victim would like to replace `/etc/motd' file in the system by
extracting it from an archive obtained from an untrusted source:
# tar -C / -xvf archive.tar etc/motd
tar: Removing leading `etc/motd/../' from member names
etc/motd/../etc/shadow
#
The attacker can also bypass --exclude rule, if it is being used
with --anchored switch. For example: The victim would like to extract
all files but `/etc/shadow' from an archive:
# tar -C / -xvf archive.tar --anchored --exclude etc/shadow
tar: Removing leading `etc/motd/../' from member names
etc/motd/../etc/shadow
#
In both cases, the attacker has now successfully replaced /etc/shadow
file with arbitrary content.
Exploiting the vulnerability works best if the attacker has some prior knowledge of the specifics of the tar command line that gets executed. The path prefix before the `..' sequence will need to (at least partially) match the target path (or not match in case of the exclude rule) in order for the bypass attack to work. Guessing which paths the victim might extract could work too, but the success rate is likely lower.
Vulnerable versions
-------------------
- GNU tar 1.14 to 1.29 (inclusive)
»
(
Permalink)