| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: team_pwn4ge at outgun.com (Team Pwnge)
Subject: UNIX Tar Security Advisory from TEAM PWN4GE
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TEAM PWN4GE Security Advisory PWNED
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: HIGH
Title: TAR: Local root exploit using Tar
Date: February 02, 2005
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
An evil malicious, vile, disgusting, atrocious vulnerability has been
found to exist on Unix based machines with the tar binary.
Background
==========
TAR is a Unix based tool used to compress files. It is nowhere near
as functional or useable as WinZip, but nevertheless Unix users need
love too,
Affected versions
=================
All versions of Unix based variants using TAR can be pwn0rf13d.
Description
===========
Shotgun Willie of TEAM PWN4G3 discovered that an unobservant (l)user
can extract the contents of a tarball overwriting his shadow (or for)
those "others", master.passwd files leading to maximum pwn4ge.
Proof of Concept
================
# tar -cf parishiltonpr0n.tar /etc/shadow
# mv /path/to/htdocs/parishiltonpr0n.tar
# ssh pwn4ge@...alhost
pwn4ge@...alhost's password:
Last login: Wed Feb 2 14:48:41 2005 from sec.msft.com
Sun Microsystems Inc. SunOS 5.10 PWN4GEKERNEL Jan 2005
You have mail.
$ wget www.(PROTECTEDSITENAME).net/parishiltonpr0n.tar
--15:42:02-- http://www.(PROTECTEDSITENAME).net/parishiltonpr0n.tar
=> `parishiltonpr0n.tar'
Resolving www.(PROTECTEDSITENAME).net... done.
Connecting to www.(PROTECTEDSITENAME).net[198.81.129.100]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,163 [application/x-tar]
100%[=================================================================================>] 1,163 1.11M/s ETA 00:00
15:42:02 (1.11 MB/s) - `rechecker.tar.gz' saved [1163/1163]
$ echo "w00t"
$ tar -xvf parishiltonpr0n.tar
tar: blocksize = 8
x /etc/shadow, 1100 bytes, 5 tape blocks
# echo "pwn3d d4t 3ss sux0r!@ h0 h0 h0"
Impact
======
All your nix belong to us.
Workaround
==========
On your shell: rm `which tar` & echo "Security is glorious amen"
Concerns?
=========
Security is a primary focus of TEAM PWN4GE and ensuring the
progress of a secure Interweb be our dreams and visions. As
security concerns should be addressed to respective vendors,
we feel the urge to bypass standards and bring our common
dreams of a secure homeland to the Interweb.
License
=======
Copyright 2005 TEAM PWN4GE
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
--
_______________________________________________
Outgun.com free e-mail @ www.outgun.com
Check out our Premium services - POP3 downloading, e-mail forwarding, and 25MB mailboxes!
Powered by Outblaze
Powered by blists - more mailing lists