15 Year Old Python Bug Let Hacker Execute Code in Code 350k Python Projects

Trellix Advanced Threat Research Team observed an unpatched 15 year old Python bug found in the Python’s tarfile module tracked as CVE-2007-4559 with CVSS score: 6.8.

“The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR archive”, said Trellix security researcher Kasimir Schulz.

Upon the successful exploitation of the vulnerability, an attacker can gain code execution from the file write.

The Tarfile Vulnerability

Reports say tarfiles are a collection of multiple different files and metadata which is later used to unarchive the tarfile. In this case, attackers can exploit the flaw by uploading a malicious tarfile which make it possible to escape the directory that a file is intended to be extracted to and achieve code execution.

The tarfile module allows users add a filter that can be used to parse and modify a file’s metadata before it is added to the tar archive. This facilitates attackers to create their exploits with little lines of code.

“Failure to write any safety code to sanitize the members files before calling for tarfile.extract() tarfile.extractall() results in a directory traversal vulnerability, enabling a bad actor access to the file system” – Charles McFarland Trellix security researcher

The vulnerability is rooted from the extract function in Python’s tarfile module, explicitly trusts the information in the TarInfo object and joins the path that is passed to the extract function and the name in the TarInfo object allowing an attacker to perform a directory traversal attack.

Path Joining with the Filename

Additionally, the extractall function relies on the extract function, experts say, the extractall function is also vulnerable to the directory traversal attack.

“An attacker to take advantage of this vulnerability they need to add “..” with the separator for the operating system (“/” or “\”) into the file name to escape the directory the file is supposed to be extracted to”, Trellix

Vulnerability is Incredibly Easy to Exploit

Researchers say this vulnerability is easy to exploit, doesn’t need much knowledge about complicated security. As a result Python’s tarfile module has become a very big supply chain issue frightening infrastructure around the world. 

Download Free SWG – Secure Web Filtering – E-book

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

NSA Announces Retirement of Cybersecurity Director Rob Joyce

In a significant announcement from the National Security Agency (NSA), Rob Joyce, the esteemed Director…

15 hours ago

Signal Introduces Username to keep Your Phone Number More private

Signal, the privacy-focused messaging app, has introduced a significant update allowing users to keep their…

15 hours ago

Google Chrome 122 Released With Fix For Critical Security Flaws

Google has announced the release of Chrome 122, marking a pivotal moment for the popular…

21 hours ago

ScreenConnect Security Flaw Let Attackers Bypass Authentication

In a critical security advisory, ConnectWise has alerted users of its ScreenConnect remote access software…

23 hours ago

Authorities Warns Of North Korean Attackers Stealing Military Technologies

Threat actors target military technologies to gain a strategic advantage, access classified information, and compromise…

1 day ago

LockBit Ransomware Infrastructre taken Down by Global Law Enforcement Agencies

In a significant blow to the global ransomware landscape, international law enforcement agencies have successfully…

2 days ago