GNU Tar Hidden File Injection Vulnerability

A vulnerability in GNU Tar allows remote attackers to inject hidden files with malicious content by crafting a specific archive. This exploitation bypasses pre-extraction inspection methods, potentially leading to undetected introduction of harmful files onto a system. The issue arises from the handling of non-data-bearing typeflags in the archive, which can be manipulated to create discrepancies between the archive's listed contents and the files actually extracted.

Impact

Exploitation of this vulnerability results in hidden file injection, with the injected files containing fully attacker-controlled content. This injection bypasses standard pre-extraction inspection processes, allowing malicious files to be introduced to a system without detection.

Reproduction

To reproduce this vulnerability, create a tar archive that includes a non-data-bearing typeflag, such as a character device, and set a non-zero size for the typeflag. When the archive is listed using 'tar -t', the injected file will not appear. However, once the archive is extracted with 'tar -x', the previously hidden file will be created on the disk, demonstrating the injection.

Remediation

Avoid extracting tar archives from untrusted sources. If it is necessary to process untrusted archives, do so in a sandboxed environment to minimize potential risks.