Re: RE: Is FreeBSD's tar susceptible to this?

From: Don Lewis (dl-freebsd@catspoiler.org)
Date: 10/02/02


Date: Tue, 1 Oct 2002 16:30:37 -0700 (PDT)
From: Don Lewis <dl-freebsd@catspoiler.org>
To: jan@caustic.org

On 1 Oct, f.johan.beisser wrote:
> On Tue, 1 Oct 2002, Don Lewis wrote:
>
>> What if the tarball installs a symlink to / under the current directory
>> followed by files that are unpacked underneath the symlink name? A
>> simple fix for the initial problem mentioned in this thread isn't
>> sufficient.
>
> i don't believe that tar(1) will allow you to do that by default.

I don't have an easy way of creating a malicious tarball to do this all
in one shot, but it does look like our tar follows symlinks.

> mkdir foo
> touch foo/bar
> tar cvf foo.tar foo/bar
foo/bar
> rm -r foo
> mkdir baz
> ln -s baz foo
> tar xvf foo.tar
foo/bar
> ls -l baz
total 0
-rw-r--r-- 1 dl dl 0 Oct 1 16:17 bar

> i know for a fact that OpenBSD won't do it by default, you have to specify
> that you want it to follow symlinks:
>
> -L Follow all symlinks. In extract mode this means that a di-
> rectory entry in the archive will not overwrite an existing
> symbolic link, but rather what the link ultimately points
> to.

Our -L option does something entirely different, which is odd since I
got the impression from the comments made in this thread that both
FreeBSD and OpenBSD are both using gtar.

I also don't think the -L option described above (or the lack of it's
use) does anything to help the problem. If there is a symbolic link
named "foo" in the filesystem and the tarball contains a directory named
"foo", then it sounds like the symlink will be removed and replaced with
a directory if the "-L" option is not used, and the directory will be
created at the target of the symlink if the "-L" option is used. It
doesn't seem to say anything about what is done if there is no "foo"
directory in the tarball, but the tarball contains a "foo/bar" file.

The only safe way of preventing symlinks from being followed would be to
lstat() each component of each path name in the tarball (which is still
not safe if there is a hostile process running that could substitute a
symlink for something that has already been checked).

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages