Hey, 2xs Security team spotted a security risk in tar / gtar, although tar / gtar are not suid in linux (most probably all of the OS) yet alot of scripts using it to do automatic back ups etc.. to the details: [test@TestZone BOS]$ id uid=500(test) gid=500(test) groups=500(test) [test@TestZone BOS]$ gdb /bin/tar GNU gdb 19991004 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"...(no debugging symbols found)... (gdb) r -c `perl -e'print "A" x 8192'` -G `perl -e'print "A" x 8192'` Starting program: /bin/tar -c `perl -e'print "A" x 8192'` -G `perl -e'print "A" x 8192'` /bin/bash: /root/.bashrc: Permission denied alot of AAAAAAA..... : Cannot stat: File name too long Program received signal SIGSEGV, Segmentation fault. 0x400760e4 in chunk_free (ar_ptr=0x4010ad60, p=0x8071488) at malloc.c:3100 3100 malloc.c: No such file or directory. (gdb) where #0 0x400760e4 in chunk_free (ar_ptr=0x4010ad60, p=0x8071488) at malloc.c:3100 #1 0x40075fba in __libc_free (mem=0x8071490) at malloc.c:3023 #2 0x805049f in strcpy () at ../sysdeps/generic/strcpy.c:30 #3 0x805c9a5 in strcpy () at ../sysdeps/generic/strcpy.c:30 #4 0x400349cb in __libc_start_main (main=0x805c86c <strcpy+76592>, argc=5, argv=0xbfff9b54, init=0x804960c, fini=0x80641fc <__umoddi3+604>, rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbfff9b4c) at ../sysdeps/generic/libc-start.c:92 (gdb) info registers eax 0x1009 4105 ecx 0x41414140 1094795584 edx 0x8071488 134681736 ebx 0x4010c1ec 1074840044 esp 0xbfff9aac -1073767764 ebp 0xbfff9ad0 -1073767728 esi 0x8072490 134685840 edi 0x8071488 134681736 eip 0x400760e4 1074225380 eflags 0x10202 66050 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 cwd 0xffff037f -64641 swd 0xffff0000 -65536 twd 0x0 0 fip 0x8094c93 134827155 fcs 0x23 35 fopo 0x80e6510 135161104 fos 0x2b 43 (gdb) This bug has alot of other flags as well (as long -c among them) For more information please contact: Ehud Tenenbaum <analyzerat_private> CTO & Project manager. Izik Kotler <izikat_private> Senior programmer. Mixter <mixterat_private> Senior programmer. acz <aczat_private> Programmer/QA tester. No exploit at this moment. Bug confirmed on redhat 6.2/slackware 7.1/ mandrak 8.0 2xs Security Team. -- ------------ Ehud Tenenbaum C.T.O & Project Manager 2xs LTD. Tel: 972-9-9519980 Fax: 972-9-9519982 E-Mail: ehudat_private ------------ Have A Safe Day
This archive was generated by hypermail 2b30 : Thu Feb 21 2002 - 10:22:57 PST