potencial bug in tar and gtar

From: Ehud Tenenbaum (analyzerat_private)
Date: Wed Feb 20 2002 - 18:48:33 PST

Next message: Rodrigo Barbosa: "Re: slocate bug."

Previous message: Tollef Fog Heen: "Re: [Fwd: Help needed with bufferoverflow in cvs]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey,

2xs Security team spotted a security risk in tar / gtar,
although tar / gtar are not suid in linux (most probably
all of the OS) yet alot of scripts using it to do automatic
back ups etc..

to the details:

[test@TestZone BOS]$ id
uid=500(test) gid=500(test) groups=500(test)
[test@TestZone BOS]$ gdb /bin/tar
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...(no debugging symbols
found)...
(gdb) r -c `perl -e'print "A" x 8192'` -G `perl -e'print "A" x 8192'`
Starting program: /bin/tar -c `perl -e'print "A" x 8192'` -G `perl
-e'print "A" x 8192'`
/bin/bash: /root/.bashrc: Permission denied
alot of AAAAAAA..... : Cannot stat: File name too long
 
Program received signal SIGSEGV, Segmentation fault.
0x400760e4 in chunk_free (ar_ptr=0x4010ad60, p=0x8071488) at
malloc.c:3100
3100    malloc.c: No such file or directory.

(gdb) where
#0  0x400760e4 in chunk_free (ar_ptr=0x4010ad60, p=0x8071488) at
malloc.c:3100
#1  0x40075fba in __libc_free (mem=0x8071490) at malloc.c:3023
#2  0x805049f in strcpy () at ../sysdeps/generic/strcpy.c:30
#3  0x805c9a5 in strcpy () at ../sysdeps/generic/strcpy.c:30
#4  0x400349cb in __libc_start_main (main=0x805c86c <strcpy+76592>,
argc=5, argv=0xbfff9b54,
    init=0x804960c, fini=0x80641fc <__umoddi3+604>, rtld_fini=0x4000ae60
<_dl_fini>,
    stack_end=0xbfff9b4c) at ../sysdeps/generic/libc-start.c:92

(gdb) info registers
eax            0x1009   4105
ecx            0x41414140       1094795584
edx            0x8071488        134681736
ebx            0x4010c1ec       1074840044
esp            0xbfff9aac       -1073767764
ebp            0xbfff9ad0       -1073767728
esi            0x8072490        134685840
edi            0x8071488        134681736
eip            0x400760e4       1074225380
eflags         0x10202  66050
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
cwd            0xffff037f       -64641
swd            0xffff0000       -65536
twd            0x0      0
fip            0x8094c93        134827155
fcs            0x23     35
fopo           0x80e6510        135161104
fos            0x2b     43
(gdb)

This bug has alot of other flags as well (as long -c among them)
For more information please contact:

Ehud Tenenbaum <analyzerat_private> CTO & Project manager.
Izik Kotler <izikat_private> Senior programmer.
Mixter <mixterat_private> Senior programmer.
acz <aczat_private> Programmer/QA tester.

No exploit at this moment.
Bug confirmed on redhat 6.2/slackware 7.1/ mandrak 8.0

2xs Security Team.


-- 
------------
Ehud Tenenbaum
C.T.O & Project Manager 
2xs LTD. 
Tel: 972-9-9519980
Fax: 972-9-9519982
E-Mail: ehudat_private
------------ 
                                 Have A Safe Day

Next message: Rodrigo Barbosa: "Re: slocate bug."
Previous message: Tollef Fog Heen: "Re: [Fwd: Help needed with bufferoverflow in cvs]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 21 2002 - 10:22:57 PST