Bugtraq mailing list archives
GNU tar vulnerability
From: bje () air net au (Ben Elliston)
Date: Sat, 25 Jan 1997 09:37:40 +1100
I reported the following vulnerability to AUSCERT, but they weren't interested. People on this list might be, though! GNU tar is lazy about file creation modes and file owners when unpacking a tar file. Because GNU tar defaults to creating files owned by the userid running tar when the username is not found on your system, it can be possible to inadvertantly create setuid root programs. Let me give you an example: On machine A, as user "fred" (uid doesn't matter), use gtar to create a tar file of the directory ~/files. Inside the subdirectory, place a copy of /bin/bash and, as fred, make the program setuid fred (the mode 4755 works well). Set the tar file to someone on machine B where the user "fred" does not exist and have them unpack the directory somewhere. Since "fred" does not exist on machine B and gtar is being run as root, you have created a world-executable setuid-root shell. I stumbled on this when using a `tar | rsh tar' pipeline to transfer a bunch of home directories from one machine to another. I thought all users on the source machine existed on the destination, but this was not the case. Furthermore, for all files owned by the users not on both machines, they were created with ownership to root . . including some setuid programs which were now setuid root! It's very, very easy to get caught out by this. I'd like to see GNU tar strip the setuid bit off files it has to revert the ownership for due to an unknown original owner. Ben. -- Ben Elliston <bje () air net au>
Current thread:
- NT RPC Hotfix Aleph One (Jan 23)
- Re: NT RPC Hotfix dsiebert () icaen uiowa edu (Jan 23)
- AOL client port and possible security risk. Sami A. Yousif (Jan 23)
- Re: NT RPC Hotfix Darren Reed (Jan 24)
- <Possible follow-ups>
- Re: NT RPC Hotfix Brad.Powell (Jan 24)
- Re: NT RPC Hotfix Yuri Volobuev (Jan 24)
- GNU tar vulnerability Ben Elliston (Jan 24)
- [NTSEC] NT vulnerable to DOS attack on more than just port 135 Bob Beck (Jan 25)