At least 350,000 open source projects are believed to be potentially vulnerable to exploitation through a Python module bug that hasn’t been fixed in 15 years.
On Tuesday, security firm Trellix said its threat researchers had discovered a vulnerability in Python
tarfile module that provides a way to read and write compressed file packages known as tar archives. Initially, the bug hunters thought they had accidentally stumbled upon a zero-day.
It turned out to be a 5,500-day problem: the beetle lived its best life for the past decade and a half while awaiting extinction.
Recognized as CVE-2007-4559the vulnerability surfaced on August 24, 2007 in a Contribution to the Python mailing list by Jan Matejek, who was the Python package maintainer for SUSE at the time. It can be exploited to potentially overwrite and hijack files on a victim’s computer if a vulnerable application opens a malicious tarball via
“Basically, the vulnerability looks like this: if you open a file named
"../../../../../etc/passwd" and then do the admin
untar /etc/passwd will be overwritten in the process,” Matejek explained at the time.
The tarfile directory traversal error was reported on August 29, 2007 by Tomas Hoger, software engineer at Red Hat.
But it had already been addressed, so to speak. A day earlier, Lars Gustabel, maintainer of the tarfile module, agreed a code change this adds a default value
check_paths parameters and a helper function for the
TarFile.extractall() Method that throws an error if the path of a tar archive file is unsafe.
But the fix didn’t fix that
TarFile.extract() method – which Gustabel says “should not be used at all” – and left open the possibility that extracting data from untrusted archives could cause problems.
in the a comment thread, Gustabel explained that he no longer considers this a security issue. “tarfile.py does nothing wrong, its behavior conforms to the Pax definition and pathname resolution guidelines in POSIX,” he wrote.
“There is no known or potential practical benefit. I 2022-09-22T01:16:12Z the documentation with a warning that extracting archives from untrusted sources could be dangerous. I think that’s the only thing to do.”
In fact, the documentation describes this foot weapon:
Warning: Never extract archives from untrustworthy sources without first checking. It is possible for files to be created outside patheg elements whose absolute file names start with
"/"or filenames with two dots
And yet here we are, with the two of them
extractall() still the danger of random path traversal.
“The vulnerability is a path traversal attack in the
extractall Functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the sequence ‘..’ to file names in a tar archive,” explains Kasimir Schulz, vulnerability researcher at Trellix, in a blog entry.
The “..” sequence changes the current working path to the parent directory. So if you use code like the six-line snippet below, Schulz says, the
tarfile module can be instructed to read and modify the file’s metadata before adding it to the tarball. And the result is an exploit.
import tarfile def change_name(tarinfo): tarinfo.name = "../" + tarinfo.name return tarinfo with tarfile.open("exploit.tar", "w:xz") as tar: tar.add("malicious_file", filter=change_name)
According to Schulz, Trellix built it a free tool called Creosote to scan for CVE-2007-4559. The software has already found the bug lurking in applications like Spyder IDE, an open-source science environment written for Python, and Polemarch, an IT infrastructure management service for Linux and Docker.
The company appreciates the
tarfile The bug is found “in over 350,000 open source projects and widespread in closed source projects.” This is also pointed out
tarfile is a standard module in every Python project and is present in frameworks created by AWS, Facebook, Google, and Intel, as well as machine learning, automation, and Docker containers applications.
Trellix says it is working to make fixed code available to affected projects.
“With our tools, we currently have 11,005 repositories patched, ready for pull requests,” stated Charles McFarland, a vulnerability researcher for Trellix, in a blog entry. “Each patch is added to a forked repository and a pull request is made over time. This will help individuals and organizations alike become aware of the issue and give them a one-click solution.
“Due to the size of vulnerable projects, we expect to continue this process over the next few weeks. This is expected to affect 12.06 percent of all vulnerable projects, just over 70,000 projects at the time of completion.”
The remaining 87.94 percent of affected projects may want to consider other possible options. ®
https://www.theregister.com/2022/09/22/python_vulnerability_tarfile/ 15-year-old Python bug found in “over 350,000” projects • The Register