At least 350,000 open source projects are believed to be potentially vulnerable to exploitation through a Python module flaw that has remained unchanged for 15 years.
On Tuesday, security firm Trelix said its threat researchers had encountered a vulnerability in Python.
tarfile Module, which provides a way to read and write compressed bundles of files known as tar archives. Initially, bug hunters thought they would chant on zero-day.
It turned out to be the issue of about 5,500 days: the bug has been living its best life for the past decade and a half while waiting to go extinct.
identified as CVE-2007-4559The vulnerability came to light on August 24, 2007, python mailing list post From Jan Matejek, who was the Python package maintainer for SUSE at the time. It can be used to potentially overwrite and hijack files on the victim’s machine when a malicious tar archive opens through a vulnerable application.
“The vulnerability basically goes like this: If you tar a file named
"../../../../../etc/passwd" and then make admin
untar it, /etc/passwd gets overwritten,” Matzek explained at the time.
Tarfile directory traversal was to blame informed of August 29, 2007 by Tomas Hoger, a software engineer at Red Hat.
But it was already addressed, eg. The day before, Lars Gustabel, the maintainer of the Tariffile module, committed a code change which adds a default true
check_paths to parameter and a helper function
TarFile.extractall() Error generating method when a tar archive file path is unsafe.
but the fix didn’t address
TarFile.extract() The method – which Gustabel said “shouldn’t be used at all” – and left open the possibility that extracting data from untrusted archives could cause problems.
In a comment thread, Gustabel explained that he no longer considered it a security issue. “tarfile.py does nothing wrong, its behavior conforms to the pax definition and pathname resolution guidelines in POSIX,” he wrote.
“There is no known or potential practical exploit. [updated] Documentation with a caveat that extracting archives from untrusted sources can be dangerous. That’s the only thing to do IMO.”
Actually, documentation Describes this footgun:
WARNING: Never remove archives from untrusted sources without prior inspection. It is possible that the files were created outside wayFor example members whose full file names begin with
"/"or double dotted filename
And yet here we are, with both
extractall() Still posing a risk of arbitrary path traversal.
“The vulnerability has a path traversal attack
extractall tarfile module that allows an attacker to overwrite arbitrary files by adding a ‘..’ sequence to filenames in a tar archive,” explained Casimir Schulz, a vulnerability researcher for Trelix. blog post,
The “..” sequence changes the current working path to the parent directory. So using code like the six-line snippet below, Schulz says, the
tarfile Modules can be asked to read and modify a file’s metadata before it is added to the tar archive. And the result is an exploit.
import tarfile def change_name(tarinfo): tarinfo.name = "../" + tarinfo.name return tarinfo with tarfile.open("exploit.tar", "w:xz") as tar: tar.add("malicious_file", filter=change_name)
According to Schultz, Trelix made A free tool called Creosote To scan for CVE-2007-4559. The software has already found bugs lurking in applications such as the Spyder IDE, an open-source scientific environment written for Python, and Polemarch, an IT infrastructure management service for Linux and Docker.
tarfile The flaw can be found “in over 350,000 open-source projects and prevalent in closed-source projects”. It also states that
tarfile It is a default module in any Python project and is present in frameworks maintained by AWS, Facebook, Google, and Intel, and in applications for machine learning, automation, and Docker containers.
Trelix says it is working to make repair codes available for affected projects.
“Using our tools, we currently have patches for 11,005 repositories, ready for pull requests,” explained Charles McFarland, a vulnerability researcher at Trelix, in a statement. blog post, “Each patch will be added to a forked repository and pull request will be made over time. This will help individuals and organizations alike to become aware of the problem and give them a one-click fix.
“Due to the size of the vulnerable projects, we expect this process to continue over the next few weeks. This is expected to reach 12.06 percent of all vulnerable projects, with a little over 70K projects by the time they are completed.”
The remaining 87.94 per cent of the affected projects would like to consider other possible options.