<br><div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">From: Teemu Salmela <<a href="mailto:teemu.salmela@iki.fi">teemu.salmela@iki.fi</a>
><br><br><br>GNU tar directory traversal<br>----------------------------------------------------------------------------<br>What is it?<br>When i download a tar file (warez.tar.gz in this example) from the web and<br>run the following commands:
<br><br>$ mkdir ~/warez<br>$ tar xzf warez.tar.gz -C ~/warez<br><br>, then i would expect that tar doesn't create or replace any files outside<br>the ~/warez directory. Today, i was browsing the GNU tar source code trying
<br>to find a way to create/overwrite arbitrary files, and i found it!<br><br>Normal tar symlinks/hardlinks are handled correctly in GNU tar (i think),<br>but there is one tar record type, called GNUTYPE_NAMES (this is some kind
<br>of GNU extension, i think), that allows me to create symbolic links<br>(inside the ~/warez directory, in this example) pointing to arbitrary<br>locations in the filesystem. In the exploit, i make a sybolic link called
<br>"xyz", pointing to "/". After that record, more records would follow<br>that extract files to the "xyz" directory.<br><br>Version numbers:<br>----------------------------------------------------------------------------
<br>I tested this on Ubuntu 6.06 LTS, GNU tar 1.16 and GNU tar 1.15.1 (this one<br>comes with Ubuntu)<br><br>Vulnerable code:<br>----------------------------------------------------------------------------<br>See extract_archive() in
extract.c and extract_mangle() in mangle.c.<br><br>Exploit:<br>----------------------------------------------------------------------------<br>[snip tEh C code]<br>--<br>fscanf(socket,"%s",buf); printf(buf);<br>
sprintf(query, "SELECT %s FROM table", buf);<br>sprintf(cmd, "echo %s | sqlquery", query); system(cmd);<br>Teemu Salmela<br><br>----------------------------------------------------------------------------
</blockquote><div><br>LOLOLOLOLOLOLOLOLOL<br>Thats pretty much the purpose of symlinks.. Whats your point in posting this fact in FD?<br><br>Jeb<br></div><br></div>