On 03 Nov 2021 15:21, Gregorio Giacobbe wrote: > As per subject, I discovered a Path Hijack vulnerabilty in the tar binary. > When using the -z switch for gzip compression/decompression the binary calls > “gzip” without absolute path, hence allowing the path Hijack. > While this, in a normal scenario can be totally harmless, it can be used as a > privileged escalation technique when the tar binary is called as root user. > > Following lines will provide a basic PoC: > ---- > export PATH=$(pwd):$PATH
this is the part where people consider it pebkac. anything after this point
is unreasonable, and you're describing functionality that exists in the entire
system, not tar. the fundamental design of $PATH and its related execvp* APIs
is to support searching w/out prefixes. tar isn't the only tool that behaves
this way. bash, env, gdb, nice, watch, find, nohup, time, etc... behave this
way.
i'll note that you don't even need $(pwd) -- an empty or . path would be even
more dynamic:
export PATH=":$PATH"
or
export PATH=".:$PATH"
now, if you could come up with a PoC that doesn't involve PATH manipulation
like this, then you'd have a reasonable report.
maybe you want to put out a PSA that admins (and really anyone) should never
have $PWD in their PATH search. sure, share it with some general user groups
as there might not be people familiar with this feature.
-mike
signature.asc
Description: PGP signature
