atoulme/minitar

Minitar directory traversal vulnerability

ecneladis opened this issue · 1 comments

ecneladis commented

Overview

Minitar allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename. Analogous vulnerabilities for unzip and tar: https://www.cvedetails.com/cve/CVE-2001-1268/ and http://www.cvedetails.com/cve/CVE-2001-1267/

Proof of Concept

~/current/tar_symlink ❯ tar -tvf symlink-overwrite.tar
lrwxrwxrwx  0 0      0           0 Jan  1  1970 ../../../../../../../../../../../../../../tmp/qwerty→

Actual behaviour:
~/current/tar_symlink ❯ rm -rf /tmp/qwerty1234
~/current/tar_symlink ❯ minitar extract symlink-overwrite.tar
~/current/tar_symlink ❯ ls -al /tmp/qwerty1234
-rwxrwxrwx 1 anon wheel 0 Jan 12 22:44 /tmp/qwerty1234

Desired behaviour:

~/current/tar_symlink ❯ tar -xf symlink-overwrite.tar
../../../../../../../../../../../../../../tmp/qwerty1234: Path contains '..'
tar: Error exit delayed from previous errors.

Example how bsdtar handles this kind of issues:

 o       Archive entries can have absolute pathnames.  By default, tar
         removes the leading / character from filenames before restoring
         them to guard against this problem.

 o       Archive entries can have pathnames that include .. components.
         By default, tar will not extract files containing .. components
         in their pathname.

 o       Archive entries can exploit symbolic links to restore files to
         other directories.  An archive can restore a symbolic link to
         another directory, then use that link to restore a file into that
         directory.  To guard against this, tar checks each extracted path
         for symlinks.  If the final path element is a symlink, it will be
         removed and replaced with the archive entry.  If -U is specified,
         any intermediate symlink will also be unconditionally removed.
         If neither -U nor -P is specified, tar will refuse to extract the
         entry.

Vulnerable, verified versions of gems:

~ ❯ gem list | grep tar
archive-tar-minitar (0.5.2)
minitar (0.5.4)

Related issues: halostatue/minitar#16

halostatue commented

This will be resolved with the release of minitar 0.6 when halostatue/minitar#16 is corrected.