The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an "incorrect optimization" that allows user-assisted attackers to overwrite arbitrary files via a crafted tar file, probably involving "/../" sequences with a leading "/".
GNU tar in Red Hat Enterprise Linux 3 and 2.1 is vulnerable to a directory traversal attack, allowing attackers to overwrite arbitrary files on the system. This vulnerability stems from an incorrect optimization in the original patch for a previous directory traversal issue, enabling attackers to craft malicious tar archives that write files outside of the intended directory, potentially leading to system compromise.
Step 1: Payload Creation: The attacker crafts a malicious tar archive. This archive contains files with filenames designed to exploit the vulnerability. These filenames will include sequences like "/../" to traverse the directory structure and target specific files for overwriting.
Step 2: Archive Delivery: The attacker delivers the crafted tar archive to the vulnerable system. This could be achieved through various means, such as social engineering, web server compromise, or email attachments.
Step 3: User Interaction: A user on the vulnerable system, or an automated process, extracts the malicious tar archive using the vulnerable GNU tar utility.
Step 4: Path Traversal: During extraction, the vulnerable GNU tar fails to properly sanitize the filenames within the archive. The "/../" sequences are not correctly resolved, allowing the extraction process to write files outside of the intended directory.
Step 5: File Overwrite: The extraction process overwrites the target files specified in the crafted filenames. This could include critical system files, configuration files, or other sensitive data, depending on the attacker's objectives.
The vulnerability lies in the flawed implementation of a security patch intended to prevent directory traversal in GNU tar. The original patch, designed to mitigate CVE-2002-0399, introduced an "incorrect optimization" that failed to properly sanitize file paths extracted from a crafted tar archive. Specifically, the patch's logic for handling paths containing sequences like "/../" with a leading "/" was insufficient. The flawed code likely did not correctly normalize the path, allowing an attacker to construct a tar archive with filenames that, when extracted, would write files to arbitrary locations on the filesystem. This is a classic example of a path traversal vulnerability, where the software does not properly validate user-supplied input (the filenames within the tar archive) before using it to access the file system. The root cause is a logic error in the path sanitization routine, leading to a write-what-where condition.