what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Tar / Cpio Heap Buffer Overflow

Tar / Cpio Heap Buffer Overflow
Posted Mar 10, 2010
Authored by Jakob Lell

GNU Tar and GNU Cpio suffer from a heap-based buffer overflow vulnerability. Tar versions prior to 1.23 and Cpio versions prior to 2.11 are affected.

tags | advisory, overflow
advisories | CVE-2010-0624
SHA-256 | d24150b634cab2351df08efe4449b09dfe98932abdb966b3ab00c97293fcd9c2

Tar / Cpio Heap Buffer Overflow

Change Mirror Download

GNU Tar and GNU Cpio are popular programs for managing archive
files. Both programs are included in many linux distributions. GNU Tar
is commonly used for exchanging source code archives.

Both programs include a client implementation for the remote mag tape
protocol (rmt). This protocol allows accessing a tape device attached
to a remote system via a rsh/ssh. It can also be used to
extract/create archive files on another system directly using Tar/Cpio
(although using rmt for accessing remote files is deprecated).


The rmt client implementation of GNU Tar/Cpio contains a heap-based
buffer overflow which possibly allows arbitrary code execution.

The vulnerability is in the function rmt_read__ in lib/rtapelib.c:

/* Read up to LENGTH bytes into BUFFER from remote tape connection HANDLE.
Return the number of bytes read on success, SAFE_READ_ERROR on error. */
rmt_read__ (int handle, char *buffer, size_t length)
char command_buffer[COMMAND_BUFFER_SIZE];
size_t status;
size_t rlen;
size_t counter;

sprintf (command_buffer, "R%lu\n", (unsigned long) length);
if (do_command (handle, command_buffer) == -1
|| (status = get_status (handle)) == SAFE_READ_ERROR)

for (counter = 0; counter < status; counter += rlen, buffer += rlen)
rlen = safe_read (READ_SIDE (handle), buffer, status - counter);
if (rlen == SAFE_READ_ERROR || rlen == 0)
_rmt_shutdown (handle, EIO);

return status;

The function first writes to the server how many bytes it wants to
read using sprintf() and do_command(). Then it reads the number of
bytes available into the variable status using get_status(). In the
for loop, the function reads status bytes from the server into the
buffer. However, it doesn't check whether status is actually less than
or equal the length of the buffer given by the parameter length. So a
malicious rmt server can overwrite data on the heap following the
buffer. Successful exploitation of this bug could possibly lead to
arbitrary code execution.


The problem can be exploited when using an untrusted/compromised rmt
server. The impact is fairly low since rmt is rarely used today and
the rmt server is in most cases considered trustworthy.

However, this vulnerability can also be triggered when trying to
extract a tar file with a colon in the filename. In this case, tar
interprets the part before the colon as a hostname (or user@hostname)
and opens a rsh connection to this host. This may also be exploited if
the user uses the aunpack script from atool [1] to extract a tar
file. Many users of GNU Tar or atool don't know that rmt exists and
that tar treats filenames containing a colon differently. So a user
might run tar or aunpack on a file which he has received via email or
downloaded from a web page. Many users enter filenames using bash
auto-completion and thus might not even notice that there is anything
wrong with the filename.

For Cpio, this attack vector does not work since Cpio requires the
option --rsh-command to use rmt. Tar has compiled in the default value

It is also possible that there are scripts out there which
automatically call Tar to extract a file with a name provided by an
untrusted source. If the script passes the filename with an (absolute
or relative) path or uses the --force-local option, this problem can
be avoided

Notes on rsh/ssh:

GNU Tar uses /usr/bin/rsh to execute the rmt server implementation
(/usr/bin/rmt) on the server. On most modern linux systems
/usr/bin/rsh is just a symlink to ssh. So an attempt to exploit this
vulnerability might make ssh ask the user whether to add a new key to
the known_hosts file. This gives users the possibility to cancel the
program and thus prevent successful exploitation. However, the problem
can still be exploited if the attacker has compromised a machine which
is already in the users known_hosts file or if the user has set
StrictHostKeyChecking to "no" in his ssh configuration.


Do not use the integrated rmt client of GNU Tar/Cpio if the rmt server
is untrusted or potentially compromised. Always check that the
filename doesn't contain a colon when extracting tar files or use the
--force-local option.


Upgrade GNU Tar to version 1.23 and GNU Cpio to version 2.11.

Some Linux Distributions are going to release upgrades packages
today or in the next few days.


2010/02/12: Vendor and major Linux Distributions notified
2010/03/10: Public disclosure

VI. Credit

This vulnerability has been discovered by Jakob Lell from the
TU Berlin computer security working group (AGRS).


A copy of this advisory is also available on the following page:


[1] http://www.nongnu.org/atool/

Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    47 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By