GNU Tar "Pointy Feather" Vulnerability Disclosed (CVE-2016-6321)
Last week was the disclosure of the Linux kernel's Dirty COW vulnerability while the latest high-profile open-source project going public with a new security CVE is GNU's Tar. Tar CVE-2016-6321 is also called POINTYFEATHER according to the security researchers.
The GNU Pointy Feather vulnerability comes down to a pathname bypass on the Tar extraction process. Regardless of the path-name(s) specified on the command-line, the attack allows for file and directory overwrite attacks using specially crafted tar archives.
The CVE notice explains, "GNU `tar' archiver attempts to avoid path traversal attacks by removing offending parts of the element name at extract. This sanitizing leads to a vulnerability where the attacker can bypass the path name(s) specified on the command line...The discovered vulnerability, described in more detail below, enables file and directory overwrite attacks against the user or system by using a crafted tar archive. The attack requires that the victim or system extract the crafted tar archive prepared by the attacker. Automated systems extracting paths from archives originating from untrusted sources are in particular danger, especially if the extract operation is performed with elevated privileges."
The GNU Pointy Feather vulnerability comes down to a pathname bypass on the Tar extraction process. Regardless of the path-name(s) specified on the command-line, the attack allows for file and directory overwrite attacks using specially crafted tar archives.
The CVE notice explains, "GNU `tar' archiver attempts to avoid path traversal attacks by removing offending parts of the element name at extract. This sanitizing leads to a vulnerability where the attacker can bypass the path name(s) specified on the command line...The discovered vulnerability, described in more detail below, enables file and directory overwrite attacks against the user or system by using a crafted tar archive. The attack requires that the victim or system extract the crafted tar archive prepared by the attacker. Automated systems extracting paths from archives originating from untrusted sources are in particular danger, especially if the extract operation is performed with elevated privileges."
4 Comments