15 Year Old Python Bug

Trellix Advanced Threat Research Team observed an unpatched 15 year old Python bug found in the Python’s tarfile module tracked as CVE-2007-4559 with CVSS score: 6.8.

“The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR archive”, said Trellix security researcher Kasimir Schulz.

Upon the successful exploitation of the vulnerability, an attacker can gain code execution from the file write.

The Tarfile Vulnerability

Reports say tarfiles are a collection of multiple different files and metadata which is later used to unarchive the tarfile. In this case, attackers can exploit the flaw by uploading a malicious tarfile which make it possible to escape the directory that a file is intended to be extracted to and achieve code execution.

EHA

The tarfile module allows users add a filter that can be used to parse and modify a file’s metadata before it is added to the tar archive. This facilitates attackers to create their exploits with little lines of code.

“Failure to write any safety code to sanitize the members files before calling for tarfile.extract() tarfile.extractall() results in a directory traversal vulnerability, enabling a bad actor access to the file system” – Charles McFarland Trellix security researcher

The vulnerability is rooted from the extract function in Python’s tarfile module, explicitly trusts the information in the TarInfo object and joins the path that is passed to the extract function and the name in the TarInfo object allowing an attacker to perform a directory traversal attack.

Path Joining with the Filename
Path Joining with the Filename

Additionally, the extractall function relies on the extract function, experts say, the extractall function is also vulnerable to the directory traversal attack.

“An attacker to take advantage of this vulnerability they need to add “..” with the separator for the operating system (“/” or “\”) into the file name to escape the directory the file is supposed to be extracted to”, Trellix

Vulnerability is Incredibly Easy to Exploit

Researchers say this vulnerability is easy to exploit, doesn’t need much knowledge about complicated security. As a result Python’s tarfile module has become a very big supply chain issue frightening infrastructure around the world. 

Download Free SWG – Secure Web Filtering – E-book

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.