OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ehud Tenenbaum (analyzer2xss.com)
Date: Wed Feb 20 2002 - 20:48:33 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hey,

    2xs Security team spotted a security risk in tar / gtar,
    although tar / gtar are not suid in linux (most probably
    all of the OS) yet alot of scripts using it to do automatic
    back ups etc..

    to the details:

    [testTestZone BOS]$ id
    uid=500(test) gid=500(test) groups=500(test)
    [testTestZone BOS]$ gdb /bin/tar
    GNU gdb 19991004
    Copyright 1998 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you
    are
    welcome to change it and/or distribute copies of it under certain
    conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB. Type "show warranty" for
    details.
    This GDB was configured as "i386-redhat-linux"...(no debugging symbols
    found)...
    (gdb) r -c `perl -e'print "A" x 8192'` -G `perl -e'print "A" x 8192'`
    Starting program: /bin/tar -c `perl -e'print "A" x 8192'` -G `perl
    -e'print "A" x 8192'`
    /bin/bash: /root/.bashrc: Permission denied
    alot of AAAAAAA..... : Cannot stat: File name too long
     
    Program received signal SIGSEGV, Segmentation fault.
    0x400760e4 in chunk_free (ar_ptr=0x4010ad60, p=0x8071488) at
    malloc.c:3100
    3100 malloc.c: No such file or directory.

    (gdb) where
    #0 0x400760e4 in chunk_free (ar_ptr=0x4010ad60, p=0x8071488) at
    malloc.c:3100
    #1 0x40075fba in __libc_free (mem=0x8071490) at malloc.c:3023
    #2 0x805049f in strcpy () at ../sysdeps/generic/strcpy.c:30
    #3 0x805c9a5 in strcpy () at ../sysdeps/generic/strcpy.c:30
    #4 0x400349cb in __libc_start_main (main=0x805c86c <strcpy+76592>,
    argc=5, argv=0xbfff9b54,
        init=0x804960c, fini=0x80641fc <__umoddi3+604>, rtld_fini=0x4000ae60
    <_dl_fini>,
        stack_end=0xbfff9b4c) at ../sysdeps/generic/libc-start.c:92

    (gdb) info registers
    eax 0x1009 4105
    ecx 0x41414140 1094795584
    edx 0x8071488 134681736
    ebx 0x4010c1ec 1074840044
    esp 0xbfff9aac -1073767764
    ebp 0xbfff9ad0 -1073767728
    esi 0x8072490 134685840
    edi 0x8071488 134681736
    eip 0x400760e4 1074225380
    eflags 0x10202 66050
    cs 0x23 35
    ss 0x2b 43
    ds 0x2b 43
    es 0x2b 43
    fs 0x0 0
    gs 0x0 0
    cwd 0xffff037f -64641
    swd 0xffff0000 -65536
    twd 0x0 0
    fip 0x8094c93 134827155
    fcs 0x23 35
    fopo 0x80e6510 135161104
    fos 0x2b 43
    (gdb)

    This bug has alot of other flags as well (as long -c among them)
    For more information please contact:

    Ehud Tenenbaum <analyzer2xss.com> CTO & Project manager.
    Izik Kotler <izik2xss.com> Senior programmer.
    Mixter <mixter2xss.com> Senior programmer.
    acz <acz2xss.com> Programmer/QA tester.

    No exploit at this moment.
    Bug confirmed on redhat 6.2/slackware 7.1/ mandrak 8.0

    2xs Security Team. 

    -- 
------------
Ehud Tenenbaum
C.T.O & Project Manager 
2xs LTD. 
Tel: 972-9-9519980
Fax: 972-9-9519982
E-Mail: ehud2xss.com
------------ 
                                 Have A Safe Day