Por esto no se deben extraer tar's como root

To: linux en nuclecu unam mx, seguridad en os com mx
Subject: Por esto no se deben extraer tar's como root
From: Mario Camou <mcamou en workmail com>
Date: Fri, 25 Sep 1998 15:58:47 -0500
Organization: Umbral Global, S.A. de C.V.
Sender: owner-linux en nuclecu unam mx

Chequen esto...hay que tener cuidado.

-Mario.

Dave Whitinger wrote:

> ------ Forwarded message ------
>     From: Willy TARREAU <tarreau en aemiaif lip6 fr>
>
> Hi all !
>
> After reading all these threads about locate, bash ..., I wondered how tar
> could be abused. Although I didn't find a buffer overflow in a file or
> directory name (fortunately), it came to me a way to make tar overwrite
> absolute files on disk, (given the user has access to it), but I can't find
> how to protect from this because it's based on a perfectly legal behaviour.
> It's based on the symlinks.
>
> Here's an example of a tar file which will overwrite your /etc/profile to
> make it add "+ +" to root's .rhosts next time he logs in. So if part of its
> directory architecture is included in any package, a root user could un-tar
> it to any location without really noticeing that /etc/profile has been
> rewritten.
>
> Of course it would be simpler with only two files, one link to /root and a
> ..rhosts, but that becomes really evident when you consult the file before
> extracting it. Note that it could also be interesting to write a key to
> $ANYUSER/.ssh/authorized_keys !
>
> The output of the tar ztvf gives this:
> $ tar ztvf trojanhorse.tar.gz
> drwxr-xr-x willy/users       0 Sep 21 11:43 1998 Src/
> -rw-r--r-- willy/users      46 Sep 21 11:43 1998 Src/Makefile
> -rw-r--r-- willy/users      17 Sep 21 11:42 1998 Src/dummy.c
> lrwxrwxrwx willy/users       0 Sep 21 11:45 1998 src -> Src
> drwxr-xr-x willy/users       0 Sep 21 11:41 1998 Include/
> -rw-r--r-- willy/users      30 Sep 21 11:41 1998 Include/config.h
> lrwxrwxrwx willy/users       0 Sep 21 11:34 1998 include -> /etc
> -rw-r--r-- willy/users     758 Sep 21 11:40 1998 include/profile
> lrwxrwxrwx willy/users       0 Sep 21 11:53 1998 include -> Include
>
> The "src" and "Src" directories are just here to make detection less evident.
> This is the "include" link to /etc which does the work. After processing,
> it's re-linked to "Include" so when tar ends, no trace is kept of what has
> been done, except in /etc/profile.
>
> The file comes here, uuencoded. PLEASE SAVE YOUR /etc/profile before
> extracting it to any place (/tmp, for example). I think that if tar gave
> just a warning each time a file is written after a symlink, and each time
> a symlink points to /something, this could be good, but perhaps someone
> would have a better idea.
>
>                                         Willy
>
> --
> +----------------------------------------------------------------------------+
> | Willy Tarreau - tarreau en aemiaif lip6 fr - http://www-miaif.lip6.fr/willy/  |
> | System and Network Engineer at NOVECOM ( France ) - http://www.novecom.fr/ |
> | Magistere d'Informatique Appliquee de l'Ile de France ( MIAIF ), Year 1997 |
> +----------------------------------------------------------------------------+
>
> [ I have removed the exploit, for space considerations.  - editor ]
>
> --
>       Three Point's Linux News --- http://news.threepoint.com
>        Linux consulting at http://consulting.threepoint.com

Previo por Fecha: Re: Peticion
Siguiente por Fecha: suscribe linux
Previo por Hilo: Fwd: Una semana en la vida
Siguiente por Hilo: suscribe linux

[Hilos de Discusión] [Fecha] [Tema] [Autor]