Jim Meyering found:
Assuming an attacker can induce a victim user to copy files created by the
attacker, most versions of cp can be abused in such a way that cp unexpectedly
overwrites or creates an arbitrary, attacker-chosen file using data provided by
the attacker. Of course, the target file must be writable by the user running cp.
No release of GNU cp has been vulnerable since fileutils-4.1.2 (released in Nov
The first trick is to arrange to copy two files with the same basename to a
rm -rf a b c; mkdir a b c && > a/1 && > b/1 && cp a/1 b/1 c
But by itself, that doesn't accomplish anything notable.
However, when symlinks are preserved (add -R -P for Solaris, just -R for HP/UX
and *BSD), the first file copied is a symlink (pointing to the target file) and
a later file (same basename and same dest dir) contains the desired payload, and
it's copied through the symlink that has just been created in the destination
directory, you've accomplished the exploit.
Here are actual examples:
[Note: in the first example, I demonstrate the exploit by writing to the file
named "target" in the current directory, but it could just as easily have been
/etc/passwd (assuming root is the victim). The Solaris example demonstrates how
to overwrite an existing file, $HOME/target. ]
NetBSD 1.6: (note the order of arguments to cp, since the 2nd is copied before
netbsd$ rm -rf a b c; mkdir a b c && echo payload > b/1 && \
ln -s target a/1 && /bin/cp -R b/1 a/1 c; cat c/target
FreeBSD 5.0 and 6.1 work the same as above
OpenBSD 3.9 is vulnerable in the same way.
Solaris 5.10: (note: contrary to above, a/1 can't be a dangling symlink,
and here, the arguments are processed in the expected order)
solaris$ rm -rf a b c; mkdir a b c && echo payload > b/1 \
&& ln -s $HOME/target a/1 && > a/1 && /bin/cp -RP a/1 b/1 c
solaris$ cat $HOME/target
HP/UX 10.20, 11.11, 11.23, 11.31: vulnerable via "/bin/cp -R",
with behavior just like that seen on Solaris.
In the above examples, it's easy to see that there's a risk of funny
business, because of the explicit source file names. But imagine
that some user requests of root to copy all files from two of his/her
directories to some other directory -- and supplies this command
cp -R a/* b/* /some/acceptable/looking/dest/dir
Then, the offending symlink and payload files may be obscured by
hundreds of other files. And a naive victim, seeing that the user
in question owns both source directories, and that the destination
directory is inoffensive, might just run the command. Thus writing e.g.,
any or all of /etc/passwd, /etc/shadow, /root/.profile, etc.
Given the age of this flaw, along with the low severity, I am opening this bug
up to the public.
Summary of affected versions of cp shipped in fileutils, coreutils and busybox
packages in Red Hat Enterprise Linux and Fedora:
- fileutils (RHEL2.1 only) - is affected by this problem, but this issue can
only be used to overwrite existing files, not to create new files
- RHEL3 - similar to cp version shipped in fileutils package in RHEL2.1, can
only by used to overwrite existing files; additionally, warning is printed
when file is overwritten
- RHEL4, RHEL5, Fedora - not affected
- RHEL2.1, RHEL3 - affected, cp can be tricked to overwrite existing files or
create new files
- RHEL4, RHEL5, F7 - affected, only overwrite of already existing file is
- F8 - not affected
Due to the very low severity of this flaw, and the fact that fixing it changes
how cp works, we don't plan to fix the affected versions.
This flaw is fixed in all packages that ship a cp utility from Fedora 8 onward.