GHSA-78m5-jpmf-ch7v
Vulnerability from github
Published
2022-12-05 23:34
Modified
2024-11-18 16:26
Severity ?
5.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
2.3 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
Summary
GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package
Details

Summary

Unsafe extracting using shutil.unpack_archive() from a remotely retrieved tarball may lead to writing the extracted file to an unintended destination.

Details

Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten.

The vulnerable code snippet is between L153..158.

```python response = requests.get(url, stream=True)

with open(zippath, "wb") as f: f.write(response.raw.read())

shutil.unpack_archive(zippath, unzippedpath) `` It seems that a remotely retrieved tarball which could be with the extension.tar.gzhappens to be unpacked usingshutil.unpack_archive()` with no destination verification/limitation of the extracted files.

PoC

The PoC provided showcases the risk of extracting the non-harmless text file sim4n6.txt to a parent location rather than the current folder.

```bash

tar --list -f archive.tar tar: Removing leading `../../../' from member names ../../../sim4n6.txt

python3 Python 3.10.6 (main, Nov 2 2022, 18:53:38) [GCC 11.3.0] on linux Type "help", "copyright", "credits" or "license" for more information.

import shutil shutil.unpack_archive("archive.tar") exit()

file ../../../sim4n6.txt ../../../sim4n6.txt: ASCII text ```

A Potential Attack Scenario

  • An attacker may craft a malicious tarball with a filename path, such as ../../../../../../../../etc/passwd, and then serve the archive remotely, thus, providing a possibility to overwrite the system files.

Mitigation

Potential mitigation could be to: - Use a safer module, like zipfile. - Validate the location of the extracted files and discard those with malicious paths such as a relative path .. or absolute ones.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.7"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "guarddog"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-05T23:34:43Z",
    "nvd_published_at": "2022-12-16T23:15:00Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\nUnsafe extracting using `shutil.unpack_archive()` from a remotely retrieved tarball may lead to writing the extracted file to an unintended destination.\n\n### Details\n\nExtracting files using `shutil.unpack_archive()` from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten.  \n\nThe vulnerable code snippet is between [L153..158](https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158). \n\n```python\nresponse = requests.get(url, stream=True)\n\nwith open(zippath, \"wb\") as f:\n      f.write(response.raw.read())\n\nshutil.unpack_archive(zippath, unzippedpath)\n```\nIt seems that a remotely retrieved tarball which could be with the extension `.tar.gz` happens to be unpacked using `shutil.unpack_archive()` with no destination verification/limitation of the extracted files.\n\n### PoC\n\nThe PoC provided showcases the risk of extracting the non-harmless text file `sim4n6.txt` to a parent location rather than the current folder. \n\n```bash\n\u003e tar --list -f archive.tar\ntar: Removing leading `../../../\u0027 from member names\n../../../sim4n6.txt\n\n\u003e python3 \nPython 3.10.6 (main, Nov  2 2022, 18:53:38) [GCC 11.3.0] on linux\nType \"help\", \"copyright\", \"credits\" or \"license\" for more information.\n\u003e\u003e\u003e import shutil\n\u003e\u003e\u003e shutil.unpack_archive(\"archive.tar\")\n\u003e\u003e\u003e exit()\n\n\u003e file ../../../sim4n6.txt\n../../../sim4n6.txt: ASCII text\n```\n\n### A Potential Attack Scenario\n\n- An attacker may craft a malicious tarball with a filename path, such as `../../../../../../../../etc/passwd`, and then serve the archive remotely, thus, providing a possibility to overwrite the system files.\n\n### Mitigation\n\nPotential mitigation could be to:\n- Use a safer module, like `zipfile`.\n- Validate the location of the extracted files and discard those with malicious paths such as a relative path `..` or absolute ones. ",
  "id": "GHSA-78m5-jpmf-ch7v",
  "modified": "2024-11-18T16:26:28Z",
  "published": "2022-12-05T23:34:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23530"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DataDog/guarddog/commit/37c7d0767ba28f4df46117d478f97652594c491c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DataDog/guarddog"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/guarddog/PYSEC-2022-42993.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.