15-year-old Python flaw found in ‘over 350,000’ projects • The Register

At least 350,000 open source projects are believed to be potentially vulnerable to exploitation via a Python module flaw that hasn’t been patched for 15 years.

On Tuesday, security firm Trellix said its threat researchers had found a vulnerability in Python. tarfile module, which provides a way to read and write compressed file packages known as tar archives. Initially, the bug hunters thought they had stumbled upon a zero day.

It turned out to be a problem of about 5500 days: the insect has been living its best life for the last decade and a half while waiting for extinction.

identified as CVE-2007-4559the vulnerability appeared on August 24, 2007, in a Python mailing list post by Jan Matejek, who at the time was the maintainer of the Python package for SUSE. It can be exploited to overwrite and hijack files on a victim’s machine, when a malicious tar file is opened by a vulnerable application via tarfile.

“The vulnerability is basically like this: if you tar a file called "../../../../../etc/passwd" and then do the admin untar /etc/passwd is overwritten,” Matejek explained at the time.

The tarfile directory traversal failure was reported on August 29, 2007 by Tomas Hoger, Software Engineer at Red Hat.

But it had already been addressed, more or less. A day earlier, Lars Gustäbel, maintainer of the tarfile module, committed a code change which adds a true default check_paths parameter and a helper function for the TarFile.extractall() method that throws an error if the path of a tar file is not secure.

But the solution did not address the TarFile.extract() method, which Gustäbel said “should not be used at all”, and left open the possibility that extracting data from untrusted files could cause problems.

In a comment threadGustäbel explained that he no longer considers this a security issue. “tarfile.py doesn’t do anything wrong, its behavior conforms to the pax definition and pathname resolution guidelines in POSIX,” she wrote.

“There is no practical feat known or possible. I [updated] the documentation with a warning that it might be dangerous to extract files from untrusted sources. That’s the only thing to do in my opinion.”

In fact, the documentation describes this gun:

Warning: never extract files from untrusted sources without prior inspection. Files may be created outside of pathfor example, members that have absolute filenames that start with "/" or filenames with a colon "..".

And yet here we are, with the two of us extract() Y extractall() continues to pose the threat of arbitrary route traversal.

“The vulnerability is a cross-path attack on the extract Y extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by appending the ‘..’ sequence to filenames in a tar archive,” explained Kasimir Schulz, vulnerability researcher at Trellix, in a blog post.

The sequence “..” changes the current working path to the parent directory. So using code like the six-line code snippet below, says Schulz, the tarfile The module can be told to read and modify the file’s metadata before adding it to the tar archive. And the result is an exploit.

import tarfile

def change_name(tarinfo):
    tarinfo.name = "../" + tarinfo.name
    return tarinfo

with tarfile.open("exploit.tar", "w:xz") as tar:
    tar.add("malicious_file", filter=change_name)

According to Schulz, Trellix built a free tool called creosote to search for CVE-2007-4559. The software has already found the bug lurking in apps like Spyder IDE, an open source scientific environment written for Python, and Polemarch, an IT infrastructure management service for Linux and Docker.

The company estimates the tarfile The flaw can be found “in more than 350,000 open source projects and is prevalent in closed source projects.” He also points out that tarfile it is a default module in any Python project and is present in frameworks built by AWS, Facebook, Google, and Intel, and in applications for machine learning, automation, and Docker containers.

Trellix says that it is working to make the fixed code available to affected projects.

“Using our tools, we currently have patches for 11,005 repositories ready for pull requests,” explained Charles McFarland, a vulnerability researcher at Trellix, in a blog post. blog post. “Each patch will be added to a forked repository and a pull request will be made over time. This will help people and organizations become aware of the issue and give them a one-click fix.

“Due to the size of the vulnerable projects, we expect to continue this process over the next few weeks. It is expected to reach 12.06% of all vulnerable projects, a little over 70,000 projects by the time of completion.”

The remaining 87.94 percent of affected projects may wish to consider other possible options. ®

Leave a Comment