Re: cpio privilege escalation vulnerability via setuid files in cpio archive

2024-1-15 14:5:24 Author: seclists.org(查看原文) 阅读量:12 收藏

Am 08.01.24 um 10:25 schrieb Georgi Guninski:

One example is r00t extracts to/tmp/  and scidiot runs /tmp/micq/backd00r
without further interaction from root.

We believe this is vulnerability, since directory traversal in cpio
is considered vulnerability.

It's not a vulnerability, as

a) cpio archives must archive that flag as cpio is part of RPM packages 

and those

must be able to contain setuid flags. Otherwise, you would need to add 

chmod u+s  cmds to any %POST

section. Breaking this, would invalidate so many existing packages => 

won't happen

note: initramfs makes use of cpio as well, but setuid is not needed 

here, as it's already running as root

b) it's not cpio's fault, if roidiot unpacks (insecure) archives as root 

to "public" available places.

c) If you consider "keeping the file flags intact" a vulnerability, you 

would also consider TAR as vulnerable:

as root:

# cd /tmp/
# touch setuid.sh
# chmod u+srwx setuid.sh
# tar cv setuid.sh | tar x -C tmp/
setuid.sh
# ls -ls tmp/
insgesamt 0
0 -rwsr--r--. 1 root root 0 10. Jan 11:55 setuid.sh

You could not backup your system correctly anymore, if  TAR would change 

this, as setuid files could be valid for your system.

The archivsofware isn't the issue here, as it's neutral technology. In 

this case, the admin has to keep this in mind and not unpack a potential 

risky piece of software to a user available place.

best regards,
Marius Schwarz
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Full Disclosure mailing list archives

Current thread: