Full Disclosure mailing list archives

Re: cpio privilege escalation vulnerability via setuid files in cpio archive

From: Harry Sintonen via Fulldisclosure <fulldisclosure () seclists org>
Date: Tue, 9 Jan 2024 00:45:39 +0200 (EET)

On Mon, 8 Jan 2024, Georgi Guninski wrote:

When extracting archives cpio (at least version 2.13) preserves
the setuid flag, which might lead to privilege escalation.

So does for example tar. The same rules that apply to tar also apply tocpio:

"Extract from an untrusted archive only into an otherwise-empty directory.This directory and its parent should be accessible only to trusted users."

One example is r00t extracts to /tmp/ and scidiot runs /tmp/micq/backd00r
without further interaction from root.

We believe this is vulnerability, since directory traversal in cpio
is considered vulnerability.


This is a user error, not a vulnerability in cpio.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

cpio privilege escalation vulnerability via setuid files in cpio archive Georgi Guninski (Jan 08)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive fulldisclosure (Jan 14)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive Harry Sintonen via Fulldisclosure (Jan 14)
  - Re: cpio privilege escalation vulnerability via setuid files in cpio archive Georgi Guninski (Jan 14)
    - Re: cpio privilege escalation vulnerability via setuid files in cpio archive Harry Sintonen via Fulldisclosure (Jan 14)