15-year-old Python flaw found in ‘over 350,000’ projects • The Register

At the least 350,000 open supply tasks are believed to be probably susceptible to exploitation by way of a Python module flaw that has remained unfixed for 15 years.

On Tuesday, safety agency Trellix stated its risk researchers had encountered a vulnerability in Python’s tarfile module, which gives a technique to learn and write compressed bundles of recordsdata generally known as tar archives. Initially, the bug hunters thought they’d chanced upon a zero-day.

It turned out to be a couple of 5,500-day subject: the bug has been dwelling its finest life for the previous decade-and-a-half whereas awaiting extinction.

Recognized as CVE-2007-4559, the vulnerability surfaced on August 24, 2007, in a Python mailing record put up from Jan Matejek, who was on the time the Python package deal maintainer for SUSE. It may be exploited to probably overwrite and hijack recordsdata on a sufferer’s machine, when a susceptible software opens a malicious tar archive by way of tarfile.

“The vulnerability goes mainly like this: In case you tar a file named "../../../../../and many others/passwd" after which make the admin untar it, /and many others/passwd will get overwritten,” defined Matejek on the time.

The tarfile listing traversal flaw was reported on August 29, 2007 by Tomas Hoger, a software program engineer at Pink Hat.

However it had already been addressed, kind of. Sooner or later earlier, Lars Gustäbel, maintainer of the tarfile module, dedicated a code change that provides a default true check_paths parameter and a helper operate to the TarFile.extractall() methodology that throws an error if a tar archive file path is insecure.

However the repair didn’t handle the TarFile.extract() methodology – which Gustäbel stated “shouldn’t be used in any respect” – and left open the likelihood that extracting information from untrusted archives would possibly trigger issues.

In a remark thread, Gustäbel defined he not considers this a safety subject. “tarfile.py does nothing mistaken, its conduct conforms to the pax definition and pathname decision tips in POSIX,” he wrote.

“There isn’t a recognized or potential sensible exploit. I [updated] the documentation with a warning that it may be harmful to extract archives from untrusted sources. That’s the solely factor to be executed IMO.”

Certainly, the documentation describes this footgun:

Warning: By no means extract archives from untrusted sources with out prior inspection. It’s potential that recordsdata are created outdoors of path, e.g. members which have absolute filenames beginning with "/" or filenames with two dots "..".

And but right here we’re, with each the extract() and extractall() nonetheless posing the specter of arbitrary path traversal.

“The vulnerability is a path traversal assault within the extract and extractall capabilities within the tarfile module that permit an attacker to overwrite arbitrary recordsdata by including the ‘..’ sequence to filenames in a tar archive,” defined Kasimir Schulz, a vulnerability researcher for Trellix, in a weblog put up.

The “..” sequence adjustments the present working path to the mother or father listing. So utilizing code just like the six-line snippet beneath, Schulz says, the tarfile module will be instructed to learn and modify the file’s metadata earlier than it is added to the tar archive. And the result’s an exploit.

import tarfile

def change_name(tarinfo):
    tarinfo.title = "../" + tarinfo.title
    return tarinfo

with tarfile.open("exploit.tar", "w:xz") as tar:
    tar.add("malicious_file", filter=change_name)

In response to Schulz, Trellix constructed a free instrument known as Creosote to scan for CVE-2007-4559. The software program has already discovered the bug lurking in purposes like Spyder IDE, an open-source scientific atmosphere written for Python, and Polemarch, an IT infrastructure administration service for Linux and Docker.

The corporate estimates the tarfile flaw will be discovered “in over 350,000 open-source tasks and prevalent in closed-source tasks.” It additionally factors out that tarfile is a default module in any Python undertaking and is current in frameworks created by AWS, Fb, Google, and Intel, and in purposes for machine studying, automation, and Docker containers.

Trellix says it is working to make repaired code out there to affected tasks.

“Utilizing our instruments, we presently have patches for 11,005 repositories, prepared for pull requests,” defined Charles McFarland, a vulnerability researcher for Trellix, in a weblog put up. “Every patch will probably be added to a forked repository and a pull request remodeled time. It will assist people and organizations alike grow to be conscious of the issue and provides them a one click on repair.

“As a result of dimension of susceptible tasks we count on to proceed this course of over the following few weeks. That is anticipated to hit 12.06 % of all susceptible tasks, slightly over 70K tasks by the point of completion.”

The remaining 87.94 % of affected tasks could want to contemplate different potential choices. ®