Re: cpio privilege escalation vulnerability via setuid files in cpio archive
2024-1-15 14:8:47 Author: seclists.org(查看原文) 阅读量:12 收藏
2024-1-15 14:8:47 Author: seclists.org(查看原文) 阅读量:12 收藏
Full Disclosure mailing list archives
From: Harry Sintonen via Fulldisclosure <fulldisclosure () seclists org>
Date: Tue, 9 Jan 2024 00:45:39 +0200 (EET)
On Mon, 8 Jan 2024, Georgi Guninski wrote:
When extracting archives cpio (at least version 2.13) preserves the setuid flag, which might lead to privilege escalation.
So does for example tar. The same rules that apply to tar also apply to cpio:
"Extract from an untrusted archive only into an otherwise-empty directory. This directory and its parent should be accessible only to trusted users."
One example is r00t extracts to /tmp/ and scidiot runs /tmp/micq/backd00r without further interaction from root. We believe this is vulnerability, since directory traversal in cpio is considered vulnerability.
This is a user error, not a vulnerability in cpio. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- cpio privilege escalation vulnerability via setuid files in cpio archive Georgi Guninski (Jan 08)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive fulldisclosure (Jan 14)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive Harry Sintonen via Fulldisclosure (Jan 14)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive Georgi Guninski (Jan 14)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive Harry Sintonen via Fulldisclosure (Jan 14)
- Re: cpio privilege escalation vulnerability via setuid files in cpio archive Georgi Guninski (Jan 14)
文章来源: https://seclists.org/fulldisclosure/2024/Jan/9
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh