CVE-2015-0857
📋 TL;DR
CVE-2015-0857 is a command injection vulnerability in Cool Projects TarDiff that allows remote attackers to execute arbitrary commands via shell metacharacters in tar file names or file names within tar archives. This affects systems using vulnerable versions of TarDiff to process untrusted tar files. Attackers can achieve remote code execution with the privileges of the TarDiff process.
💻 Affected Systems
- Cool Projects TarDiff
📦 What is this software?
Tardiff by Tardiff Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root privileges if TarDiff runs as root, allowing attackers to install backdoors, exfiltrate data, or pivot to other systems.
Likely Case
Remote code execution with the privileges of the user running TarDiff, enabling data theft, lateral movement, or denial of service.
If Mitigated
Limited impact if TarDiff runs in a sandboxed environment with minimal privileges and processes only trusted tar files.
🎯 Exploit Status
Exploitation is straightforward by crafting tar files with malicious file names containing shell metacharacters like semicolons, backticks, or command substitutions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions including commits 9bd6a07bc204472ac27242cea16f89943b43003a and a18e8df51511df276e61dbccdbe1714fc53af965
Vendor Advisory: http://www.debian.org/security/2016/dsa-3562
Restart Required: No
Instructions:
1. Update TarDiff to a patched version from the official repository. 2. For Debian systems, apply security update via 'apt-get update && apt-get upgrade tardiff'. 3. Verify the fix by checking the commit hash includes the security patches.
🔧 Temporary Workarounds
Input validation and sanitization
linuxImplement custom validation to reject tar files with shell metacharacters in file names before processing with TarDiff.
#!/bin/bash
# Example script to check tar file names
if tar -tf "$1" | grep -q "[;&|`$()]" ; then
echo "Rejecting tar file with suspicious characters"
exit 1
fi
Run TarDiff with restricted privileges
linuxExecute TarDiff as a low-privilege user in a chroot or container to limit damage if exploited.
sudo -u nobody tardiff [options]
🧯 If You Can't Patch
- Disable TarDiff usage for processing untrusted tar files entirely.
- Implement network segmentation to isolate systems running vulnerable TarDiff versions.
🔍 How to Verify
Check if Vulnerable:
Check TarDiff version and commit history. If using Git, verify if security commits are present: 'git log --oneline | grep -E "9bd6a07|a18e8df"'.Check Version:
tardiff --version 2>/dev/null || dpkg -l tardiff 2>/dev/null || rpm -q tardiff 2>/dev/nullVerify Fix Applied:
Test with a tar file containing shell metacharacters in file names. If TarDiff rejects it or processes it safely without command execution, the fix is likely applied.📡 Detection & Monitoring
Log Indicators:
- Unusual shell commands executed by the TarDiff process
- Error messages related to tar file processing failures
- Unexpected process spawns from TarDiff
Network Indicators:
- Outbound connections from systems running TarDiff to unexpected destinations
- Unusual data exfiltration patterns
SIEM Query:
process.name:"tardiff" AND (process.cmdline:*[;&|`$()]* OR process.parent.name:"tardiff")🔗 References
- http://www.debian.org/security/2016/dsa-3562
- https://anonscm.debian.org/cgit/collab-maint/tardiff.git/commit/?id=9bd6a07bc204472ac27242cea16f89943b43003a
- https://anonscm.debian.org/cgit/collab-maint/tardiff.git/commit/?id=a18e8df51511df276e61dbccdbe1714fc53af965
- http://www.debian.org/security/2016/dsa-3562
- https://anonscm.debian.org/cgit/collab-maint/tardiff.git/commit/?id=9bd6a07bc204472ac27242cea16f89943b43003a
- https://anonscm.debian.org/cgit/collab-maint/tardiff.git/commit/?id=a18e8df51511df276e61dbccdbe1714fc53af965
