Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Minitar directory traversal vulnerability #5

Open
ecneladis opened this issue Aug 22, 2016 · 1 comment
Open

Minitar directory traversal vulnerability #5

ecneladis opened this issue Aug 22, 2016 · 1 comment

Comments

@ecneladis
Copy link

ecneladis commented Aug 22, 2016
edited
Loading

Overview

Minitar allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename. Analogous vulnerabilities for unzip and tar: https://www.cvedetails.com/cve/CVE-2001-1268/ and http://www.cvedetails.com/cve/CVE-2001-1267/

Proof of Concept

~/current/tar_symlink ❯ tar -tvf symlink-overwrite.tar
lrwxrwxrwx  0 0      0           0 Jan  1  1970 ../../../../../../../../../../../../../../tmp/qwerty→

Actual behaviour:
~/current/tar_symlink ❯ rm -rf /tmp/qwerty1234
~/current/tar_symlink ❯ minitar extract symlink-overwrite.tar
~/current/tar_symlink ❯ ls -al /tmp/qwerty1234
-rwxrwxrwx 1 anon wheel 0 Jan 12 22:44 /tmp/qwerty1234

Desired behaviour:

~/current/tar_symlink ❯ tar -xf symlink-overwrite.tar
../../../../../../../../../../../../../../tmp/qwerty1234: Path contains '..'
tar: Error exit delayed from previous errors.

Example how bsdtar handles this kind of issues:

 o       Archive entries can have absolute pathnames.  By default, tar
         removes the leading / character from filenames before restoring
         them to guard against this problem.

 o       Archive entries can have pathnames that include .. components.
         By default, tar will not extract files containing .. components
         in their pathname.

 o       Archive entries can exploit symbolic links to restore files to
         other directories.  An archive can restore a symbolic link to
         another directory, then use that link to restore a file into that
         directory.  To guard against this, tar checks each extracted path
         for symlinks.  If the final path element is a symlink, it will be
         removed and replaced with the archive entry.  If -U is specified,
         any intermediate symlink will also be unconditionally removed.
         If neither -U nor -P is specified, tar will refuse to extract the
         entry.

Vulnerable, verified versions of gems:

~ ❯ gem list | grep tar
archive-tar-minitar (0.5.2)
minitar (0.5.4)

Related issues: halostatue/minitar#16
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@halostatue @ecneladis