rss home github email

CVE-2016-6321 notes

I read this document but had a little trouble understanding it at first:

"Vulnerability: POINTYFEATHER aka Tar extract pathname bypass":

Tar will happily extract files & directories into an arbitrary location when supplied with a suitably crafted archive file. If a target system is extracting an attacker supplied file, the vulnerability can be exploited to gain file overwrite capability.

So, some notes:

tar has a long history of security issues. For example, tar files can contain paths like /etc/motd or /home/lizzie/.bashrc or ../../.bashrc. If these are extracted by a naive tar, they will be written over existing files and probably give the author of the tar file code execution.

So GNU tar has a feature to remove bad prefixes. For example,

lizzie@0ae488040cbf:~# tar tf bad.tar 
tar: Removing leading `../' from member names
../etc/motd
lizzie@0ae488040cbf:~# tar xf bad.tar
tar: Removing leading `../' from member names
lizzie@0ae488040cbf:~# ls
bad.tar  etc
lizzie@0ae488040cbf:~# ls etc/
motd

And also GNU tar lets you specify which files to extract from a tar file:

lizzie@0ae488040cbf:~# ls
example.tar
lizzie@0ae488040cbf:~# tar tf example.tar 
a
b
lizzie@0ae488040cbf:~# tar xf example.tar a
lizzie@0ae488040cbf:~# ls
a  example.tar

But this isn't implemented the right way: first, the specification is checked, and then the bad prefixes are removed. So a maliciously-constructed path can match the specification, then be sanitized into something that may not match the specification, and then be extracted. So,

lizzie@0ae488040cbf:~# tar tf pointyfeather.tar 
tar: Removing leading `a/../' from member names
a/../example
lizzie@0ae488040cbf:~# tar xf pointyfeather.tar a
tar: Removing leading `a/../' from member names
lizzie@0ae488040cbf:~# ls
example  pointyfeather.tar

The fixed version bails out immediately (1.29-2 on Arch Linux):

[lizzie@empress misc]$ tar xf pointyfeather.tar a
tar: Removing leading `a/../' from member names
tar: a/../example: Member name contains '..'
tar: Exiting with failure status due to previous errors