Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-78m5-jpmf-ch7v

Опубликовано: 05 дек. 2022
Источник: github
Github: Прошло ревью
CVSS4: 2.3
CVSS3: 5.8

Описание

GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package

Summary

Unsafe extracting using shutil.unpack_archive() from a remotely retrieved tarball may lead to writing the extracted file to an unintended destination.

Details

Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten.

The vulnerable code snippet is between L153..158.

response = requests.get(url, stream=True) with open(zippath, "wb") as f: f.write(response.raw.read()) shutil.unpack_archive(zippath, unzippedpath)

It seems that a remotely retrieved tarball which could be with the extension .tar.gz happens to be unpacked using shutil.unpack_archive() with no destination verification/limitation of the extracted files.

PoC

The PoC provided showcases the risk of extracting the non-harmless text file sim4n6.txt to a parent location rather than the current folder.

> tar --list -f archive.tar tar: Removing leading `../../../' from member names ../../../sim4n6.txt > python3 Python 3.10.6 (main, Nov 2 2022, 18:53:38) [GCC 11.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import shutil >>> shutil.unpack_archive("archive.tar") >>> exit() > file ../../../sim4n6.txt ../../../sim4n6.txt: ASCII text

A Potential Attack Scenario

  • An attacker may craft a malicious tarball with a filename path, such as ../../../../../../../../etc/passwd, and then serve the archive remotely, thus, providing a possibility to overwrite the system files.

Mitigation

Potential mitigation could be to:

  • Use a safer module, like zipfile.
  • Validate the location of the extracted files and discard those with malicious paths such as a relative path .. or absolute ones.

Ссылки

Пакеты

Наименование

guarddog

pip
Затронутые версииВерсия исправления

<= 0.1.7

0.1.8

EPSS

Процентиль: 74%
0.00814
Низкий

2.3 Low

CVSS4

5.8 Medium

CVSS3

CVE ID

CVE-2022-23530

Дефекты

CWE-22

Связанные уязвимости

nvd логотип

CVE-2022-23530

CVSS3: 5.8
nvd
около 3 лет назад

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. This issue is patched in version 0.1.8. Potential workarounds include using a safer module, like zipfile, and validating the location of the extracted files and discarding those with malicious paths.

EPSS

Процентиль: 74%
0.00814
Низкий

2.3 Low

CVSS4

5.8 Medium

CVSS3

CVE ID

CVE-2022-23530

Дефекты

CWE-22