Bugtraq mailing list archives
GNU tar vulnerability
From: bje () air net au (Ben Elliston)
Date: Sat, 25 Jan 1997 09:37:40 +1100
I reported the following vulnerability to AUSCERT, but they weren't
interested. People on this list might be, though!
GNU tar is lazy about file creation modes and file owners when unpacking
a tar file. Because GNU tar defaults to creating files owned by the
userid running tar when the username is not found on your system, it can
be possible to inadvertantly create setuid root programs.
Let me give you an example:
On machine A, as user "fred" (uid doesn't matter), use gtar
to create a tar file of the directory ~/files. Inside the
subdirectory, place a copy of /bin/bash and, as fred, make
the program setuid fred (the mode 4755 works well).
Set the tar file to someone on machine B where the user "fred"
does not exist and have them unpack the directory somewhere.
Since "fred" does not exist on machine B and gtar is being
run as root, you have created a world-executable setuid-root
shell.
I stumbled on this when using a `tar | rsh tar' pipeline to transfer a
bunch of home directories from one machine to another. I thought all
users on the source machine existed on the destination, but this was not
the case.
Furthermore, for all files owned by the users not on both machines, they
were created with ownership to root . . including some setuid programs
which were now setuid root!
It's very, very easy to get caught out by this. I'd like to see GNU tar
strip the setuid bit off files it has to revert the ownership for due to
an unknown original owner.
Ben.
--
Ben Elliston
<bje () air net au>
Current thread:
- NT RPC Hotfix Aleph One (Jan 23)
- Re: NT RPC Hotfix dsiebert () icaen uiowa edu (Jan 23)
- AOL client port and possible security risk. Sami A. Yousif (Jan 23)
- Re: NT RPC Hotfix Darren Reed (Jan 24)
- <Possible follow-ups>
- Re: NT RPC Hotfix Brad.Powell (Jan 24)
- Re: NT RPC Hotfix Yuri Volobuev (Jan 24)
- GNU tar vulnerability Ben Elliston (Jan 24)
- [NTSEC] NT vulnerable to DOS attack on more than just port 135 Bob Beck (Jan 25)
