Author Yilmaz
Recipients Yilmaz, ned.deily, paul.moore, ronaldoussoren, steve.dower, tim.golden, zach.ware
Date 2019-01-06.09:08:11
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1546765691.35.0.523415727187.issue35669@roundup.psfhosted.org>
In-reply-to
Content
##Summary:
A TAR file can escape the Python working directory with symlink.

#Steps to reproduce:
1- Create a directory in Desktop (for example : testbolum)
2- Enter the path with "cd" command.
3- Create a symbolic link with "ln" command ( ln -s ../ symlink ).
4- Create a test files with "touch" command (touch ../testfile)
5- Create a tar file with "tar" command line tool ( tar -czvf proofofconcept.tar symlink/ symlink/testfile)
6- Delete "symlink" with "rm" command
7- Delete "../testfile" with "rm" command
8- Run "extract_tar.py"
You can see "testfile" in "../" path
Proof of concept: "status_python.mp4"

##Status on ptar:
Apply the steps to reproduce for "ptar". ptar warning the user. You can see "status_on_ptarsymlink_file.mp4".

##Status on tar:
Apply the steps to reproduce for "tar". tar warning the user. You can see "status_on_tarsymlink_file.mp4".



#Note for Step 3:
You can set a other path for example ( ln -s /user/test/area/ symlink)

Python should be check symbolic link . The user may not be aware of this.  This issue may also cause the software service to run in macos.


##Proof of concept files:
http://yigittestman.000webhostapp.com/ta/

##Impact:
when the user tar file is extracting, the file will be sent to the desired location of the attacker. This issue may also cause the software service to mount in macOS.
History
Date User Action Args
2019-01-06 09:08:14Yilmazsetrecipients: + Yilmaz, paul.moore, ronaldoussoren, tim.golden, ned.deily, zach.ware, steve.dower
2019-01-06 09:08:11Yilmazsetmessageid: <1546765691.35.0.523415727187.issue35669@roundup.psfhosted.org>
2019-01-06 09:08:11Yilmazlinkissue35669 messages
2019-01-06 09:08:11Yilmazcreate