‘GNU Tar and GNU Cpio Heap Based Buffer Overflow Vulnerability’

Summary

The rmt client implementation of GNU Tar/Cpio contains a heap-based buffer overflow which possibly allows arbitrary code execution.’

Credit:

‘The information has been provided by Jakob Lell.
The original article can be found at: http://www.agrs.tu-berlin.de/index.php?id=78327


Details

Vulnerable Systems:
 * GNU Tar version 1.23
 * GNU Cpio version 2.11

The vulnerability is in the function rmt_read__ in lib/rtapelib.c:

/* Read up to LENGTH bytes into BUFFER from remote tape connection HANDLE.
Return the number of bytes read on success, SAFE_READ_ERROR on error. */
size_t
rmt_read__ (int handle, char *buffer, size_t length)
{
char command_buffer[COMMAND_BUFFER_SIZE];
size_t status;
size_t rlen;
size_t counter;

sprintf (command_buffer, ‘R%lun’, (unsigned long) length);
if (do_command (handle, command_buffer) == -1
  || (status = get_status (handle)) == SAFE_READ_ERROR)
return SAFE_READ_ERROR;

for (counter = 0; counter < status; counter += rlen, buffer += rlen)
{
  rlen = safe_read (READ_SIDE (handle), buffer, status – counter);
  if (rlen == SAFE_READ_ERROR || rlen == 0)
    {
      _rmt_shutdown (handle, EIO);
      return SAFE_READ_ERROR;
    }
}

return status;
}

The function first writes to the server how many bytes it wants to read using sprintf() and do_command(). Then it reads the number of bytes available into the variable status using get_status(). In the for loop, the function reads status bytes from the server into the buffer. However, it doesn’t check whether status is actually less than or equal the length of the buffer given by the parameter length. So a malicious rmt server can overwrite data on the heap following the buffer. Successful exploitation of this bug could possibly lead to arbitrary code execution.

The problem can be exploited when using an untrusted/compromised rmt server. The impact is fairly low since rmt is rarely used today and the rmt server is in most cases considered trustworthy.

However, this vulnerability can also be triggered when trying to extract a tar file with a colon in the filename. In this case, tar interprets the part before the colon as a hostname (or user () hostname) and opens a rsh connection to this host. This may also be exploited if the user uses the aunpack script from atool to extract a tar file. Many users of GNU Tar or atool don’t know that rmt exists and that tar treats filenames containing a colon differently. So a user might run tar or aunpack on a file which he has received via email or downloaded from a web page. Many users enter filenames using bash auto-completion and thus might not even notice that there is anything wrong with the filename.

For Cpio, this attack vector does not work since Cpio requires the option –rsh-command to use rmt. Tar has compiled in the default value ‘/usr/bin/rsh’.

It is also possible that there are scripts out there which automatically call Tar to extract a file with a name provided by an untrusted source. If the script passes the filename with an (absolute or relative) path or uses the –force-local option, this problem can be avoided.

Workaround:
Do not use the integrated rmt client of GNU Tar/Cpio if the rmt server is untrusted or potentially compromised. Always check that the filename doesn’t contain a colon when extracting tar files or use the –force-local option.

CVE Information:
CVE-2010-0624

Disclosure Timeline:
2010/02/12: Vendor and major Linux Distributions notified
2010/03/10: Public disclosure’

Categories: UNIX