Source: secalert@redhat.com
The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an "incorrect optimization" that allows user-assisted attackers to overwrite arbitrary files via a crafted tar file, probably involving "/../" sequences with a leading "/".
GNU tar on vulnerable Red Hat Enterprise Linux systems is susceptible to a critical directory traversal vulnerability, allowing attackers to overwrite arbitrary files. This flaw, stemming from an incorrect optimization in a previous patch, can lead to complete system compromise through user-assisted exploitation.
Step 1: Payload Creation: An attacker crafts a malicious tar archive. This archive contains entries designed to overwrite arbitrary files on the target system. These entries use directory traversal sequences (e.g., '/../') to specify target file paths outside the intended extraction directory.
Step 2: Archive Delivery: The attacker delivers the malicious tar archive to the victim. This typically involves social engineering, such as tricking the user into downloading and extracting the archive.
Step 3: Extraction Trigger: The victim extracts the malicious tar archive using the vulnerable tar utility.
Step 4: Path Manipulation: The vulnerable tar utility processes the archive entries. Due to the flawed patch, the directory traversal sequences in the archive entries are not correctly sanitized.
Step 5: File Overwrite: The tar utility, due to the path manipulation, creates or overwrites files at the attacker-specified locations, potentially including critical system files.
Step 6: System Compromise: By overwriting critical system files (e.g., configuration files, binaries), the attacker gains control of the system.
The vulnerability arises from an incomplete fix for CVE-2002-0399. The original patch, intended to prevent directory traversal, introduced an 'incorrect optimization' that failed to properly sanitize pathnames within the tar archive. Specifically, the patch likely attempted to strip or sanitize '.. /' sequences, but the implementation was flawed. The root cause is a failure to correctly handle path normalization, allowing crafted archive entries with sequences like '/../' to bypass the intended security checks. This leads to the ability to write files outside of the intended extraction directory. The flaw is likely in the logic that handles path resolution and file creation during the extraction process, where the crafted archive entry's path is not properly validated before file creation. The 'incorrect optimization' likely involved a simplified check that could be bypassed with carefully crafted path names.
While no specific APT groups are directly linked to this CVE, the vulnerability's nature makes it attractive to various threat actors. The potential for remote code execution and system compromise makes it a high-value target. This vulnerability is not listed on the CISA KEV at the time of this report, but it is a high-impact vulnerability that could be added.
Monitor file system activity for unexpected file creations or modifications, especially in system directories (e.g., /etc, /usr/bin).
Analyze logs for tar commands with suspicious arguments, particularly those involving path manipulation (e.g., /../).
Implement file integrity monitoring (FIM) to detect unauthorized changes to critical system files.
Network traffic analysis: Look for unusual file transfers or downloads that might be related to the delivery of malicious tar archives.
Check for the presence of known malicious files or backdoors that could be installed by an attacker.
Upgrade to a patched version of GNU tar. Ensure that the system is running a version with a complete fix for CVE-2002-0399 and CVE-2005-1918.
Implement strict input validation on all user-supplied data, especially file paths.
Regularly scan systems for vulnerabilities using vulnerability scanners.
Employ a defense-in-depth strategy, including file integrity monitoring, intrusion detection systems, and strong access controls.
Educate users about the risks of opening files from untrusted sources and the importance of verifying file integrity before extraction.
Implement a least-privilege model, limiting the permissions of user accounts to the minimum necessary for their tasks.