| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 5 Aug 2005 00:52:50 +0100 From: Imran Ghory <imranghory@...il.com> To: bugtraq@...urityfocus.com Subject: tar preserves setuid bit (essentially the same as the unzip vulnerability CAN-2005-0602 except that it only works against the root user) ================================ tar preserves setuid bit ================================ Software: tar Version: 1.15.1 Software URL: <www.gnu.org/software/tar/tar.html> Platform: Unix, Linux. Severity: Medium Vulnerable software ==================== tar 1.15.1 and previous versions running on unix. Vulnerability ============== If running as the root user tar restores the original permissions to extracted files, this includes the setuid bit. No warning is given to the user that this has happened. The default behaviour of tar under root is not to change ownership of the file to root. However owner information is extracted from the tar file, so a trivialy modified tar file can ensure the owner of the extracted files is the root user. This allows for the creation of arbitary setuid executable owned by the root user if the root user extracts the files from a malliciously crafted tar file. --- Imran Ghory
Powered by blists - more mailing lists