TARmageddon in astral-tokio-tar

Repository is a Rust proof-of-concept for “TARmageddon” (CVE-2025-62518) affecting the `tokio-tar` crate’s handling of PAX extended headers. Structure/purpose: - `malicious-payload/` (Rust crate): Generates a crafted `malicious.tar` using the `tar` crate. The generator writes a PAX extended header that sets `size=1024` for the next file, then writes a USTAR header for `benign_file.txt` with size set to `0`. It then places a second, valid TAR header for `sh_profile_hijack` inside what should be the benign file’s data region, followed by the smuggled content (`alias ls='rm -rf /'\n`) and proper 512-byte padding and EOF blocks. - `vulnerable-extract/` (Rust crate): Minimal async extractor using `tokio-tar = 0.3.1` that unpacks a user-supplied TAR into `./output`. This demonstrates the vulnerable behavior: the library uses the PAX size for reading content but uses the USTAR size for advancing to the next header, causing a parser/content pointer mismatch and interpreting embedded data as a new header. - `reproduce.sh`: Automates building the payload, showing that GNU tar lists only the benign file, then running the vulnerable extractor to show the extra smuggled file appears in `output/`. Exploit capability: - Not a network exploit; it is a malicious archive that, when processed by vulnerable `tokio-tar`, results in additional attacker-controlled files being written to disk that may evade naive archive inspection/scanning. This can enable supply-chain/CI poisoning or security-tool bypass scenarios where inspection uses correct TAR semantics but extraction uses the vulnerable parser.

This repository is a comprehensive, multi-language proof-of-concept for CVE-2025-62518, a critical vulnerability in several Rust async tar libraries (tokio-tar, async-tar, krata-tokio-tar, astral-tokio-tar) related to improper handling of PAX extended header size overrides. The exploit is implemented as a full test suite and reproduction harness: - The core exploit is a specially crafted tar archive (pax_bug_compact.tar) generated by repro_generator/repro_generator.cpp. This archive contains a PAX header specifying a large file size, but a ustar header with size zero, and file content that begins with a valid tar header for a nested file. - The repository includes C++ tools (tarwalk.cpp, tarwalk_bad.cpp) to analyze and compare correct vs buggy parsing behavior, and a Rust tool (tar-bug-detector) to compare the behavior of different tar libraries. - The exploit demonstrates that vulnerable libraries will misinterpret file content as new archive entries, allowing attackers to smuggle or overwrite files during extraction, bypassing manifest validation and potentially leading to code execution or supply chain attacks. - The repository also contains detailed disclosure documentation, technical analysis, and patches for affected libraries. No network endpoints or remote services are involved; the attack is local and targets archive extraction logic, but the impact is significant for supply chain and build systems that process untrusted tar files.