At least 350,000 open source projects are believed to be potentially vulnerable to exploitation via a Python module flaw that hasn’t been patched for 15 years.
On Tuesday, security firm Trellix said its threat researchers had found a vulnerability in Python.
tarfile module, which provides a way to read and write compressed file packages known as tar archives. Initially, the bug hunters thought they had stumbled upon a zero day.
It turned out to be a problem of about 5500 days: the insect has been living its best life for the last decade and a half while waiting for extinction.
Tracked as CVE-2007-4559, the vulnerability appeared on August 24, 2007, in a Python mailing list post by Jan Matejek, who at the time was the maintainer of the Python package for SUSE. It can be exploited to overwrite and hijack files on a victim’s machine, when a malicious tar file is opened by a vulnerable application via
“The vulnerability is basically like this: if you tar a file called
"../../../../../etc/passwd" and then do the admin
untar /etc/passwd is overwritten,” Matejek explained at the time.
The tarfile directory traversal flaw was reported on August 29, 2007 by Tomas Hoger, a Red Hat software engineer.
But it had already been addressed, more or less. A day earlier, Lars Gustäbel, maintainer of the tarfile module, made a code change that adds a default value of true.
check_paths parameter and a helper function for the
TarFile.extractall() method that throws an error if the path of a tar file is not secure.
But the solution did not address the
TarFile.extract() method, which Gustäbel said “should not be used at all”, and left open the possibility that extracting data from untrusted files could cause problems.
In a comment thread, Gustäbel explained that he no longer considers this a security issue. “tarfile.py doesn’t do anything wrong, its behavior conforms to the pax definition and pathname resolution guidelines in POSIX,” he wrote.
“There is no practical feat known or possible. I [updated] the documentation with a warning that it might be dangerous to extract files from untrusted sources. That’s the only thing to do in my opinion.”
In fact, the documentation describes this gun:
Warning: never extract files from untrusted sources without prior inspection. Files may be created outside of pathfor example, members that have absolute filenames that start with
"/"or filenames with a colon
And yet here we are, with the two of us
extractall() continues to pose the threat of arbitrary route traversal.
“The vulnerability is a cross-path attack on the
extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by appending the ‘..’ sequence to filenames in a tar archive,” explained Kasimir Schulz, vulnerability researcher at Trellix, in a blog post.
The sequence “..” changes the current working path to the parent directory. So using code like the six-line code snippet below, says Schulz, the
tarfile The module can be told to read and modify the file’s metadata before adding it to the tar archive. And the result is an exploit.
import tarfile def change_name(tarinfo): tarinfo.name = "../" + tarinfo.name return tarinfo with tarfile.open("exploit.tar", "w:xz") as tar: tar.add("malicious_file", filter=change_name)
According to Schulz, Trellix created a free tool called Creosote to search for CVE-2007-4559. The software has already found the bug lurking in apps like Spyder IDE, an open source scientific environment written for Python, and Polemarch, an IT infrastructure management service for Linux and Docker.
The company estimates the
tarfile The flaw can be found “in more than 350,000 open source projects and is prevalent in closed source projects.” He also points out that
tarfile it is a default module in any Python project and is present in frameworks built by AWS, Facebook, Google, and Intel, and in applications for machine learning, automation, and Docker containers.
Trellix says that it is working to make the fixed code available to affected projects.
“Using our tools, we currently have patches for 11,005 repositories, ready for pull requests,” explained Charles McFarland, vulnerability researcher at Trellix, in a blog post. “Each patch will be added to a forked repository and a pull request will be made over time. This will help people and organizations become aware of the issue and give them a one-click fix.
“Due to the size of the vulnerable projects, we expect to continue this process over the next few weeks. It is expected to reach 12.06% of all vulnerable projects, a little over 70,000 projects by the time of completion.”
The remaining 87.94 percent of affected projects may wish to consider other possible options. ®