15-year-old Python flaw found in ‘over 350,000’ projects

At least 350,000 open source projects are believed to be vulnerable to exploitation via a flaw in a Python module that has remained unstable for 15 years.

Security firm Trellix said Tuesday that its threat researchers encountered a vulnerability in Python tarfile The module, which provides a way to read and write compressed file packages known as tar archives. At first, bug hunters thought they came across Day Zero.

It turns out the problem is around 5,500 days old: This bug has lived its best life over the past decade and a half while waiting to be extinct.

The vulnerability was identified as CVE-2007-4559, on August 24, 2007, in a Python mailing list post from Jan Matejic, who at the time was the Python package maintenance maintainer for SUSE. It can be exploited to overwrite and hijack files on a victim’s device, when a vulnerable application opens a malicious tar archive via tarfile.

“The vulnerability basically goes like this: If you disable a file named "../../../../../etc/passwd" Then make admin untar /etc/passwd is overwritten,” Matjek explained at the time.

The tarfile directory traversal defect was reported on August 29, 2007 by Tomas Hoger, a software engineer at Red Hat.

But it’s already addressed, sort of. A day ago Lars Gustäbel, the tarfile module supervisor, changed a code that adds a valid default value check_paths Parameter and auxiliary function of a file TarFile.extractall() The method that throws an error if the tar archive file path is not safe.

But the repair was not fixed TarFile.extract() The method – which Justabel said “should not be used at all” – and left open the possibility that extracting data from untrusted archives could cause problems.

In a comment thread, Justabel clarified that he no longer considers this a security issue. He wrote “tarfile.py does nothing wrong, and its behavior conforms to the definition of pax and pathname resolution guidelines in POSIX”.

There is no known or possible practical exploitation [updated] Documentation with a warning of the danger of extracting archives from unreliable sources. This is the only thing that needs to be done IMO.”

In fact, the documentation describes this pistol:

Warning: Never extract archives from untrusted sources without prior checking. Files may be generated outside roadfor example members with absolute filenames starting with "/" or filenames with a colon "..".

However, here we are, with both extract() And the extractall() Still poses the risk of traversing the arbitrary path.

“The vulnerability is a path traversal attack in extract And the extractall Functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the sequence “..” to filenames in a tar archive,” Kasimir Schulz, a Trellix vulnerability researcher, explained in a blog post.

The sequence “..” changes the current working path to the parent directory. So, using code like the six-line snippet below, Schulz says, the . file tarfile The module can be told to read and modify the file’s metadata before adding it to the tar archive. The result is exploitation.

import tarfile

def change_name(tarinfo):
    tarinfo.name = "../" + tarinfo.name
    return tarinfo

with tarfile.open("exploit.tar", "w:xz") as tar:
    tar.add("malicious_file", filter=change_name)

According to Schulze, Trellix created a free tool called Creosote to search for CVE-2007-4559. The program has already detected the bug in applications such as Spyder IDE, an open source scientific environment written for Python, and Polemarch, an IT infrastructure management service for Linux and Docker.

appreciate the company tarfile The flaw can be found “in more than 350,000 open source projects and prevalent in closed projects”. As it indicates tarfile It is the default module in any Python project and is present in frameworks created by AWS, Facebook, Google, and Intel, in machine learning and automation applications, and in Docker containers.

Trellix says it is working to make fixed code available for affected projects.

“Using our tools, we currently have patches for 11,005 repositories ready for pull requests,” Charles McFarland, a vulnerability researcher at Trellix, explained in a blog post. “Each patch will be added to a forked repository and a pull request will be made over time. This will help individuals and organizations alike to become aware of the issue and give them a one-click fix.

“Given the scale of projects at risk, we expect this process to continue over the next few weeks. This is expected to reach 12.06 percent of all projects at risk, just over 70,000 projects by the time of completion.”

The remaining 87.94 percent of affected projects may wish to consider other possible options. ®

#15yearold #Python #flaw #projects

Leave a Comment

Your email address will not be published.