CSS Disclosure: tar Extract Pathname Bypass

T2’16 Infosec Conference kicked off this morning in Helsinki. And to celebrate this, F-Secure CSS security consultant Harry Sintonen has a vulnerability disclosure to publish.

See below for more info.

Tar will happily extract files & directories into an arbitrary location when supplied with a suitably crafted archive file. If a target system is extracting an attacker supplied file, the vulnerability can be exploited to gain file overwrite capability. | We have exploited this vulnerability in environments where tar was run as root to gain root access on the target. In most scenarios this is a non-issue, however as we have witnessed, corner cases can be quite useful. | After the communication with different parties was discontinued for more than 42 days, the decision was made to proceed with our honorable disclosure policy.

tar Extract Pathname Bypass

Full Disclosure: POINTYFEATHER / tar Extract Pathname Bypass (CVE-2016-6321)

Articles with similar Tags