Full Disclosure mailing list archives

Re: cpio privilege escalation vulnerability via setuid files in cpio archive

From: Harry Sintonen via Fulldisclosure <fulldisclosure () seclists org>
Date: Tue, 9 Jan 2024 09:28:59 +0200 (EET)

On Tue, 9 Jan 2024, Georgi Guninski wrote:

On Tue, Jan 9, 2024 at 12:45 AM Harry Sintonen <harry () sintonen fi> wrote:


On Mon, 8 Jan 2024, Georgi Guninski wrote:

When extracting archives cpio (at least version 2.13) preserves
the setuid flag, which might lead to privilege escalation.


So does for example tar. The same rules that apply to tar also apply to
cpio:



Which version of tar is vulnerable to this attack?


Tar does set setuid bit, but tar is not vulnerable. This is not an attack.

The user is responsible for extracting the archives to secure locationand not letting other users access to insecure setuid binaries. See:


https://www.gnu.org/software/tar/manual/html_section/Security.html#Security-rules-of-thumb

These same security considerations also apply to cpio.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

cpio privilege escalation vulnerability via setuid files in cpio archive Georgi Guninski (Jan 08)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive fulldisclosure (Jan 14)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive Harry Sintonen via Fulldisclosure (Jan 14)
  - Re: cpio privilege escalation vulnerability via setuid files in cpio archive Georgi Guninski (Jan 14)
    - Re: cpio privilege escalation vulnerability via setuid files in cpio archive Harry Sintonen via Fulldisclosure (Jan 14)