Kitz Forum

Computer Software => Linux => Topic started by: Weaver on August 02, 2018, 01:22:11 AM

Title: Tarbomb
Post by: Weaver on August 02, 2018, 01:22:11 AM
A bit of a lame question, but the answer just eludes me at the moment.

Say someone gives me a tarbomb, by which I mean a .tar file that contains files that will be (i) a nuisance if extracted into the current directory or (ii) contains directives to extract files to absolute paths.

q: Is the second case a possibility (nowadays)? (Inspecting the whole thing in advance might be at the least a pain or easily forgotten or at most well-nigh impossible if the listing is huge.)

q: What is the best thing to do to guard against any risk of problems from absolute paths? - tips for good switches, for example?

As for the first case, you could say it is your own fault, and you should have made a suitable subdirectory first. However, for convenience, are there any switches to automate this, to force everything to go into relative paths that are below "./eg_sub/", say: ie (at least) one level below the current directory?

Perhaps I should write a tool if need be, to make this automatic and safe.
Title: Re: Tarbomb
Post by: roseway on August 02, 2018, 07:31:35 AM
One easy way to do this is to use one of the graphical utilities to extract the files. I use Ark, but this is KDE specific. On Windows there's Winzip of course, and I presume other platforms have similar utilities.
Title: Re: Tarbomb
Post by: DaveC on August 02, 2018, 09:26:55 AM
Here is what GNU tar does:

But I would always preview the contents of a tar file using the t and v switches before untarrng.
Title: Re: Tarbomb
Post by: Weaver on August 02, 2018, 12:21:25 PM
Got it, many thanks DaveC - some wise soul was ahead of me then, I was not the only one thinking about this.
Title: Re: Tarbomb
Post by: petef on August 02, 2018, 08:36:45 PM
The Zip Slip ( vulnerability was published in June. Holes were found in a number of implementing libraries. Those were mostly Java. Other languages were less affected because they have standard zip libraries.

The standard tar program I would regard at pretty safe. However the file format is vulnerable if people chose to write their own unpacker or use immature libraries, for the same reasons as Zip Slip.

@roseway I do not see how a GUI is intrinsically safer. The ones I remember just ask if you want to extract the files without showing you where they extract to.

@DaveC if the bad guys are going to sneak in path elements like ../ then they can also put in old skool tricks like backspaces or newer things like bidi. -vt can help but can still be fooled. Do you routinely use the -b flag with ls?

@Weaver writing your own tar seems risky compared to using mature implementations like GNU. You have identified the ../ vulnerability but how many others are there?
Title: Re: Tarbomb
Post by: roseway on August 02, 2018, 10:46:53 PM
@roseway I do not see how a GUI is intrinsically safer.

I wasn't suggesting that. But the the ones I've used allow you to see the file structure inside the archive before extracting it, and allow the user to choose the destination and also to select which parts of the archive to extract. No doubt this can be done with the command line programs, but with the GUI it's much easier to see what the result is going to be.
Title: Re: Tarbomb
Post by: Weaver on August 03, 2018, 01:52:11 AM
@petef misunderstanding- no I certainly would not waste my time writing my own tar - I was thinking of a script that runs untar to get a listing of the contents and then checks that, before calling tar a second time to do the real thing. But it seems that the authors have addressed my concerns already from the man article at that url.