GNU Tar Directory Traversal Vulnerability Allowing File Overwrite

A directory traversal vulnerability has been identified in GNU Tar versions through 1.35, allowing for file overwrites via crafted TAR archives. The exploitation involves a two-step process: first, the extraction of an archive containing a symlink that points to a critical directory; second, the extraction of another archive that includes a critical file, specified through a relative pathname that begins with the symlink and ends with the file's name. This method bypasses Tar's default protection against traversal by double-dot components, potentially affecting server applications that automatically extract user-supplied TAR archives or software installation processes that handle multiple TAR extractions.

Impact

Exploitation of this vulnerability can lead to unauthorized overwriting of critical files, potentially disrupting application or system functionality.

Reproduction

To reproduce this vulnerability, first extract a TAR archive containing a symlink that points to a sensitive directory, such as the user's .ssh directory. Next, extract a second TAR archive that includes a file specified by a relative path starting with the symlink name and ending with the file name, such as 'authorized_keys'. This process will follow the symlink and overwrite the specified file, exploiting the directory traversal flaw.

Remediation

Users are advised to update to the latest version of GNU Tar, available on the GNU FTP server or its mirrors.