lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: vtlists at wyae.de (Volker Tanger)
Subject: UNIX Tar Security Advisory from TEAM PWN4GE

Greetings!

On Thu, 03 Feb 2005 04:32:08 +0800
"Team Pwnge" <team_pwn4ge@...gun.com> wrote:
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - TEAM PWN4GE Security Advisory                                    
> PWNED - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>   Severity: HIGH
>      Title: TAR: Local root exploit using Tar
>       Date: February 02, 2005
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

...is not reproducible. PoC fails in several steps.


> Proof of Concept
> ================
> 
> # tar -cf parishiltonpr0n.tar /etc/shadow

Chmod for /etc/shadow  must be set to 600 by design.
So tar fails as expected with 
	"tar: /etc/shadow: Cannot open: Permission denied"


Okay, for completeness' sake, continuing with a 644'ed /etc/shadow,
just in case.


> $ tar -xvf parishiltonpr0n.tar
> tar: blocksize = 8
> x /etc/shadow, 1100 bytes, 5 tape blocks

Permission problem here as well - tar fails with
	"tar: shadow: Cannot open: File exists"


So the attack only is successful if you have your permissions of
/etc/shadow set to 666 or similar, which is an evil thing (sorry for
the pun). If the password file is world-writable anyway you don't even
need the way 'round with tar and HTTP transfer - simply set your own
passwords for anyone you would like to - VI or EMACS is all you need in
this case. Similar if /etc/ itself is set to 777.

Alternatively the TAR binary might be SUID'ed, which is A Bad Idea(TM),
too - which are all SUID'ed programs that can write to arbitrary
locations...

So the problem is not TAR, but the "cracked" wide-open system, that was
misconfigured against all defaults and standards. 

Bye
	Volker

-- 

Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@...e.de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ