New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tar: Directory traversal vulnerability may lead to command execution / privilege escalation #3991
Comments
|
Worth noting that this could also be used to gain command execution on the host, or elevate privileges to the
|
|
R.I.P. for Andreas's $5 (http://serenityos.org/bounty/) |
I suppose that depends whether Andreas believes this is of sufficient criticality to warrant an exception to the bug bounty rules. Exploitation via this technique seems fairly likely; however, this doesn't qualify for bounty as it requires user interaction. There's nothing in userland (or Although the bug bounty rules are a bit unfair due to the "unfinished" nature of the project. A lot more attack surface will be opened up once Serenity is used as a legitimate "everyday" OS (as per the project goals). For example, everything except |
|
I'm not sure if the "bugs in programs that are not started by default" applies here since it's in the same line as "Remote bugs". But, it would be best to get Andreas's clarification. |
I believe the intention of that statement was to prevent bounty claims in services such as TelnetService (ie, #1735), especially as it does not currently support authentication, or non-default software (ie, Ports). |
|
I don't understand the problem here (aside from while |
That's the problem. Not only should
Agreed.
That's the problem.
Image you download some software in a compressed zip/tar archive. You extract the software without the verbose flag and prepare to enjoy your totally-not-malicious software. Or perhaps you enable verbose output, but the output flies by so fast that you don't notice anything strange. Without warning, a file has been written to a parent directory without your knowledge. For exactly this reason, modern zip/tar software will refuse to extract files if the destination path traverses outside the working directory (by default).
It sure is, presuming of course that you can make the user do that without their knowledge. That seems like a tall order. But if you've figured out mind control please tell me your secret. |
|
Not sure how that leads to privilege escalation, but I do agree with |
|
Also, it is not just users that are effected. Any software that downloads then decompresses a malicious archive using the userland Similarly, any server software (such as web applications) which permits the user to upload a file, then subsequently decompresses the file using the userland No software currently included with Serenity performs these actions (that I'm aware of). |
Fair call. Given that there really isn't much attack surface or usable functionality, and Serenity is basically a single user system due to the lack of login/logoff functionality, privilege escalation (to In reality, this is more likely to be exploited to gain a foothold on the system by tricking a user into extracting the contents of a malicious compressed file. The underlying issue is directory traversal leading to arbitrary file write (depending on file system permissions for the user). In terms of impact, you're correct that, in practice, command execution is a better title and more realistic scenario than privilege escalation. Given that this is effectively a local file exploit (rather than remote) and most likely requires some form of social engineering ("here, open this"), and due to the lack of attackable functionality, I had a few scenarios in mind:
An academic exercise at this stage of system development given the limited environment. |
|
Let's not play the game of calling everything a security vulnerability. |
Strange response. Here's some light reading for you to peruse with your morning coffee: |
|
Sorry, I'm just not a fan of the extreme hyperbole. These are just bugs and we can fix them. :) |
I posted an issue to describe an issue, clearly demonstrating why it is an issue with accompanying screenshots. I didn't say it was critical. I didn't say it was urgent. I didn't say it was likely. I didn't claim a bug bounty. No hyperbole. Cause and effect. Most software has vulnerabilities. This isn't an attack on you or your ego or your skills or your project.
These are just bugs and we can fix them. :) |
|
Hmm, let me start over, I sound like such a grump.. I had an unnecessarily strong reaction to the "may lead to command execution / privilege escalation" suffix in the bug titles, which to me felt like noise added for dramatic effect. I'm sorry about that. |
|
@awesomekling thanks friend :) |
This change validates the filenames within a tar/zip archive during extraction. If the filename within a the archive is outside of the current working directory the file will be skipped and not extracted onto the host system. Closes SerenityOS#3991 Closes SerenityOS#3992
|
Opened a PR to fix this issue. Trying to get my feet wet with Serenity/C++ so let me know if I'm doing something silly :) |
This change validates the filenames within a tar/zip archive during extraction. If the filename within a the archive is outside of the current working directory the file will be skipped and not extracted onto the host system. Closes SerenityOS#3991 Closes SerenityOS#3992
This change validates the filenames within a tar/zip archive during extraction. If the filename within a the archive is outside of the current working directory the file will be skipped and not extracted onto the host system. Closes SerenityOS#3991 Closes SerenityOS#3992
This change validates the filenames within a tar/zip archive during extraction. If the filename within a the archive is outside of the current working directory the file will be skipped and not extracted onto the host system. Closes SerenityOS#3991 Closes SerenityOS#3992
This change validates the filenames within a tar/zip archive during extraction. If the filename within a the archive is outside of the current working directory the file will be skipped and not extracted onto the host system. Closes SerenityOS#3991 Closes SerenityOS#3992

Most of the file system is mounted read-only. However, we can overwrite
/etc/shellrcto gain privileges next timerootuses/bin/sh.The text was updated successfully, but these errors were encountered: