Bug 15106

Summary: there is a directory traversal vulnerability of "tar" applet
Product: Busybox Reporter: xiedongmo <alligatorking>
Component: OtherAssignee: unassigned
Status: NEW ---    
Severity: major CC: busybox-cvs
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:
Attachments: the poc detail

Description xiedongmo 2022-11-08 08:01:37 UTC 
In general case, it is not allowed to create files or soft links outside the decompression directory. However, by constructing multiple soft links with the same name to exploit two cycles of extracting, creating any soft link at any location pointing to any target file is possible.

An poc is given , which shows that after executing tar to process the special file, the “rm”is hijacked.
Comment 1 xiedongmo 2022-11-08 08:28:29 UTC 
Created attachment 9406 [details]
the poc detail

the poc detail.
hack5.tar shows how to construct an tar to attack.
runpoc.png shows the result after attacking