[8029] in bugtraq
Re: tar "features"
daemon@ATHENA.MIT.EDU (Amos Hayes)
Fri Sep 25 17:36:43 1998
Date: Fri, 25 Sep 1998 13:24:21 -0400
Reply-To: Amos Hayes <ahayes@polkaroo.net>
From: Amos Hayes <ahayes@POLKAROO.NET>
X-To: Willy TARREAU <tarreau@AEMIAIF.LIP6.FR>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199809220756.JAA18518@aemiaif.lip6.fr>
On Tue, 22 Sep 1998, Willy TARREAU wrote:
> Here's an example of a tar file which will overwrite your /etc/profile to
> make it add "+ +" to root's .rhosts next time he logs in. So if part of its
> directory architecture is included in any package, a root user could un-tar
> it to any location without really noticeing that /etc/profile has been
> rewritten.
Perhaps I'm being a bit harsh, but I just thought that I'd point out that
certain programs have in fact been written with capabilities to modify
files. If you are going to be running programs on your computer, you
should expect this and take appropriate precautions. I like biosuits.
In the case of tar files, are a couple tar options (from the tar manpage
on IRIX 6.5):
R When extracting from tape, ignore leading slashes on file names,
i.e., extract all files relative to the current directory. This
also applies (as of IRIX 6.2) to any links that are restored (and
symbolic links if specified as RR). When specified as RRR, all
filenames (including the targets of symbolic links) are made
directory relative; that is, they are extracted as ./filename.
This mode is intended for the use of programs running as root, such
as tardist, that want to be sure that they do not overwrite system
files when extracting archives, either by accident, or through a
trojan horse attack. Since the t,x and other options referring to
specific files use pattern matching, you must omit the leading '/'
when specifying directory or filenames with those options when
using the R option. Thus, to extract /a/b/c with a relative
pathname, you would do:
tar xvR a/b/c
Earlier releases prepended a leading '.', requiring the use of:
tar xvR ./a/b/c
The way to check for sure is to use:
tar tvR | head -2
and then use whichever format is used in the output list.
If specified as RRR, all directory information is stripped from
pathnames in the archive, including the pathnames of symbolic
links. All files will be written to the current directory; no
directories will be created; symbolic links will only refer to
files in the current directory. Note that if two or more different
files in the archive have the same filename but have different
pathnames, the last file extracted will overwrite any earlier file
with the same filename.
N When extracting files, extract the file only if it is new; that is,
if the stat(2) system call fails on the pathname that is about to
be extracted. When listing files with the t key, only list them if
they would be extracted (that is, the file doesn't exist).
w tar prints the action to be taken followed by file name, then waits
for user confirmation. If a word beginning with `y' is given, the
action is done. Any other input means do not do it.
These options may or may not exist on your version of tar. But I believe
the point is that you should be careful if
a) you are running untrusted programs,
b) you are running trusted programs with untrusted input, or
c) you are running anything as root.
I fear that we may soon be seeing warnings like the following (extremely
sarcastic example) on the bugtraq list. Can we avoid this please?
-------------------------------------
I too have discovered a very dangerous situation. While investigating "rm"
I discovered that if you pass it a certain set of characters as parameters
while running it as root, it can erase your whole filesystem!
Here is the exploit command:
rm -rf /
I tried to contact the authors of rm but I think they must all be dead (or
at least senile) by now.
-------------------------------------
--
Amos Hayes Systems Architect
ahayes@polkaroo.net Ingenia Group - Software Kinetics Ltd.
http://polkaroo.net/~ahayes http://www.ingenia.com
"Remember: No one can make you feel inferior without your consent."
- ELEANOR ROOSEVELT
