Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 08 Jan 2015 02:43:27 +0300
From: Alexander Cherepanov <cherepan@...me.ru>
To: oss-security@...ts.openwall.com
Subject: Directory traversals in cpio and friends?

Hi!

I've taken a look at how dir traversals are dealt with in several 
implementations of tar and cpio. The picture is kinda strange.

First of all, I believe it's usually agreed that archivers must not 
touch files outside the current directory by default. Is there an 
authoritative link for this?

Then, it seems there are 3 main ways to exploit dir traversals in 
through archives:

1) via absolute paths, the column 'abs' below;

2) via relative paths with '..', the column 'rel' below;

3) via symlinks to directories, the column 'link' below.

Software:

1) GNU tar and cpio, called 'tar' and 'cpio' below, tested versions from 
Debian jessie and git head;

2) BSD tar and cpio (based on libarchive), called 'bsdtar' and 'bsdcpio' 
below, tested versions from Debian jessie and git head;

3) OpenBSD-derived(?) pax, with tools called 'paxtar', 'paxcpio' and 
'pax' below, tested versions from Debian jessie and FreeBSD 
10.0-RELEASE-p12.

The results of tests of tar and cpio archives against various commands 
follow. '=' means that the corresponding file is not extracted, 'x' 
means that it is extracted. IMHO secure configuration should list three 
'=', insecure configuration should list three 'x', everything else is 
inconsistent. The list created by the attached scripts.

=== tar ===
abs     rel     link    cmd
=       =       =       tar -x
x       x       x       tar -x -P
=       =       =       bsdtar -x
x       x       x       bsdtar -x -P
=       x       x       paxtar -x
x       x       x       paxtar -x -P
x       x       x       pax -r

=== cpio ===
abs     rel     link    cmd
x       x       x       cpio -i
=       =       x       cpio -i --no-absolute-filenames
x       =       =       bsdcpio -i
x       x       x       bsdcpio -i --insecure
x       x       x       paxcpio -i

tar and bsdtar are ok. Good. But not much.

Question 1. Perhaps there are some reasons why all cpio variants (unlike 
tar) extract files with absolute paths by default?

Question 2. BSD folks which are behind pax* tools don't consider 
directory traversal a vulnerability, do they?

The only 'x' in the line for `cpio -i --no-absolute-filenames` seems to 
be a clear vuln. Reported here: https://bugs.debian.org/774669 and now 
sent to upstream ml.

-- 
Alexander Cherepanov

View attachment "test-tar-1.sh.txt" of type "text/plain" (713 bytes)

View attachment "test-tar-all.sh.txt" of type "text/plain" (428 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.