Jeb, even so, I don't think 'LOLOLOLOL' is the best way to let Teemu know that. I personally would not like this kind of attitude. Don't take this the wrong way, I just didn't like this behavior on a list like this. Take care. Regards, Gouki On Wed, 2006-11-22 at 07:45 +0530, Jeb Osama wrote: > > From: Teemu Salmela <teemu.salmela@xxxxxx > > > > GNU tar directory traversal > > ---------------------------------------------------------------------------- > What is it? > When i download a tar file (warez.tar.gz in this example) from > the web and > run the following commands: > > $ mkdir ~/warez > $ tar xzf warez.tar.gz -C ~/warez > > , then i would expect that tar doesn't create or replace any > files outside > the ~/warez directory. Today, i was browsing the GNU tar > source code trying > to find a way to create/overwrite arbitrary files, and i found > it! > > Normal tar symlinks/hardlinks are handled correctly in GNU tar > (i think), > but there is one tar record type, called GNUTYPE_NAMES (this > is some kind > of GNU extension, i think), that allows me to create symbolic > links > (inside the ~/warez directory, in this example) pointing to > arbitrary > locations in the filesystem. In the exploit, i make a sybolic > link called > "xyz", pointing to "/". After that record, more records would > follow > that extract files to the "xyz" directory. > > Version numbers: > > ---------------------------------------------------------------------------- > I tested this on Ubuntu 6.06 LTS, GNU tar 1.16 and GNU tar > 1.15.1 (this one > comes with Ubuntu) > > Vulnerable code: > > ---------------------------------------------------------------------------- > See extract_archive() in extract.c and extract_mangle() in > mangle.c. > > Exploit: > > ---------------------------------------------------------------------------- > [snip tEh C code] > -- > fscanf(socket,"%s",buf); printf(buf); > sprintf(query, "SELECT %s FROM table", buf); > sprintf(cmd, "echo %s | sqlquery", query); system(cmd); > Teemu Salmela > > > ---------------------------------------------------------------------------- > > LOLOLOLOLOLOLOLOLOL > Thats pretty much the purpose of symlinks.. Whats your point in > posting this fact in FD? > > Jeb > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- *//================================================================= .-. Fingerprint: 4B36 0BC2 82CE 6858 4893 7132 BC98 A7E4 3482 BA17 /v\ Size / Type: 1024/DSA // \\ Availability: MIT's PKS - pgp.mit.edu /( )\ Homepage: GoukiHQ.org ^^-^^ |PHEAR THE PENGUIN| *//=================================================================
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/