15106 – there is a directory traversal vulnerability of "tar" applet

Bug 15106 - there is a directory traversal vulnerability of "tar" applet

Summary: there is a directory traversal vulnerability of "tar" applet

Status:	NEW

Alias:	None

Product:	Busybox
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	unspecified
Hardware:	All Linux

Importance:	P5 major
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-11-08 08:01 UTC by xiedongmo
Modified:	2022-11-09 14:47 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:

Attachments
the poc detail (44.88 KB, application/octet-stream) 2022-11-08 08:28 UTC, xiedongmo	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description xiedongmo 2022-11-08 08:01:37 UTC

In general case, it is not allowed to create files or soft links outside the decompression directory. However, by constructing multiple soft links with the same name to exploit two cycles of extracting, creating any soft link at any location pointing to any target file is possible.

An poc is given , which shows that after executing tar to process the special file, the “rm”is hijacked.

Comment 1 xiedongmo 2022-11-08 08:28:29 UTC

Created attachment 9406 [details]
the poc detail

the poc detail.
hack5.tar shows how to construct an tar to attack.
runpoc.png shows the result after attacking