Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Minitar directory traversal vulnerability #5

Open
ecneladis opened this issue Aug 22, 2016 · 1 comment
Open

Minitar directory traversal vulnerability #5

ecneladis opened this issue Aug 22, 2016 · 1 comment

Comments

@ecneladis
Copy link

@ecneladis ecneladis commented Aug 22, 2016

Overview

Minitar allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename. Analogous vulnerabilities for unzip and tar: https://www.cvedetails.com/cve/CVE-2001-1268/ and http://www.cvedetails.com/cve/CVE-2001-1267/

Proof of Concept

~/current/tar_symlink ❯ tar -tvf symlink-overwrite.tar
lrwxrwxrwx  0 0      0           0 Jan  1  1970 ../../../../../../../../../../../../../../tmp/qwerty→

Actual behaviour:
~/current/tar_symlink ❯ rm -rf /tmp/qwerty1234
~/current/tar_symlink ❯ minitar extract symlink-overwrite.tar
~/current/tar_symlink ❯ ls -al /tmp/qwerty1234
-rwxrwxrwx 1 anon wheel 0 Jan 12 22:44 /tmp/qwerty1234

Desired behaviour:

~/current/tar_symlink ❯ tar -xf symlink-overwrite.tar
../../../../../../../../../../../../../../tmp/qwerty1234: Path contains '..'
tar: Error exit delayed from previous errors.

Example how bsdtar handles this kind of issues:


 o       Archive entries can have absolute pathnames.  By default, tar
         removes the leading / character from filenames before restoring
         them to guard against this problem.

 o       Archive entries can have pathnames that include .. components.
         By default, tar will not extract files containing .. components
         in their pathname.

 o       Archive entries can exploit symbolic links to restore files to
         other directories.  An archive can restore a symbolic link to
         another directory, then use that link to restore a file into that
         directory.  To guard against this, tar checks each extracted path
         for symlinks.  If the final path element is a symlink, it will be
         removed and replaced with the archive entry.  If -U is specified,
         any intermediate symlink will also be unconditionally removed.
         If neither -U nor -P is specified, tar will refuse to extract the
         entry.

Vulnerable, verified versions of gems:

~ ❯ gem list | grep tar
archive-tar-minitar (0.5.2)
minitar (0.5.4)

Related issues: halostatue/minitar#16

@halostatue

This comment has been minimized.

Copy link

@halostatue halostatue commented Nov 3, 2016

This will be resolved with the release of minitar 0.6 when halostatue/minitar#16 is corrected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.