Src |
Date (GMT) |
Titre |
Description |
Tags |
Stories |
Notes |
|
2023-01-23 20:14:17 |
Blast from the Past: How Attackers Compromised Zimbra With a Patched Vulnerability (lien direct) |
Last year, I worked on a vulnerability in Zimbra
(CVE-2022-41352 - my
AttackerKB analysis for Rapid7)
that turned out to be a new(-ish) exploit path for a really old bug in cpio -
CVE-2015-1194. But that was patched in 2019, so what happened?
(I posted this as a tweet-thread awhile back, but I decided to flesh it out and
make it into a full blog post!)
cpio is an archive tool commonly used for system-level stuff (firmware images
and such). It can also extract other format, like .tar, which we'll use since
it's more familiar.
cpio has a flag (--no-absolute-filenames), off by default,
that purports to prevent writing files outside of the target directory. That's
handy when, for example, extracting untrusted files with Amavis
(like Zimbra does).
The problem is, symbolic links can point to absolute paths, and therefore, even
with --no-absolute-filenames, there was no safe way to extract an untrusted
archive (outside of using a chroot environment or something similar, which
they really ought to do).
Much later, in 2019, the cpio team released cpio version 2.13, which
includes a patch for
CVE-2015-1194,
with unit tests and everything.
Some (not all) modern OSes include the patched version of cpio, which should be
the end of the story, but it's not!
I'm currently writing this on Fedora 35, so let's try exploiting it. We can
confirm that the version of cpio installed with the OS is, indeed, the fixed
version:
ron@fedora ~ $ cpio --version
cpio (GNU cpio) 2.13
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later .
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Phil Nelson, David MacKenzie, John Oleynick,
and Sergey Poznyakoff.
That means that we shouldn't be able to use symlinks to write outside of the
target directory, so let's create a .tar file that includes a symlink and a
file written through that symlink (this is largely copied from
this mailing list post:
ron@fedora ~ $ mkdir cpiotest
ron@fedora ~ $ cd cpiotest
ron@fedora ~/cpiotest $ ln -s /tmp/ ./demo
ron@fedora ~/cpiotest $ echo 'hello' > demo/imafile
ron@fedora ~/cpiotest $ tar -cvf demo.tar demo demo/imafile
demo
demo/imafile
ron@fedora ~/cpiotest $ |
Tool
Vulnerability
|
APT 17
|
★★★★
|