15-year-old Python flaw found in "over 350,000" projects

15-year-old Python flaw found in “over 350,000” projects

At least 350,000 open source projects are believed to be potentially vulnerable to exploitation via a Python module flaw that has remained unpatched for 15 years.

On Tuesday, security firm Trellix said its threat researchers encountered a vulnerability in Python. tarfile module, which provides a way to read and write sets of compressed files called tar archives. Initially, bug hunters thought they had stumbled upon day zero.

It turned out to be an issue of about 5,500 days: the bug is living its best life in a decade and a half while waiting for its extinction.

Identified as CVE-2007-4559, the vulnerability first appeared on August 24, 2007 in a Python mailing list post from Jan Matejek, who was the Python package maintainer for SUSE at the time. It can be exploited to potentially overwrite and hijack files on a victim’s machine, when a vulnerable application opens a malicious tarball via tarfile.

“The vulnerability basically looks like this: if you compress a file named "../../../../../etc/passwd" then make the administrator untar it, /etc/passwd is overwritten,” Matejek explained at the time.

The tarfile directory traversal flaw was reported on August 29, 2007 by Tomas Hoger, a software engineer at Red Hat.

But it had already been touched on, sort of. A day earlier, Lars Gustäbel, maintainer of the tarfile module, committed a code change that adds a default true check_paths parameter and a helper function TarFile.extractall() method that returns an error if the path to a tarball file is insecure.

But the patch did not solve the problem TarFile.extract() method – which, according to Gustäbel, “should not be used at all” – and left open the possibility that extracting data from unreliable archives could cause problems.

In a comment thread, Gustäbel explained that he no longer considers this a security issue. “tarfile.py does nothing wrong, its behavior conforms to the pax definition and path resolution guidelines in POSIX,” he wrote.

“There is no practical exploit known or possible. I [updated] the documentation with a warning that it might be dangerous to extract archives from untrusted sources. It’s the only thing to do IMO.”

Indeed, the documentation describes this footgun:

Warning: Never extract archives from untrusted sources without first inspecting them. Files may be created outside of pathfor example members whose absolute filenames begin with "/" or filenames with a colon "..".

And yet here we are, with both the extract() and extractall() always posing the threat of arbitrary path crossing.

“The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by appending the sequence ‘..’ to filenames in a tar archive,” explained Kasimir Schulz, vulnerability researcher for Trellix, in a blog post .

The “..” sequence changes the current working path to the parent directory. So using code like the six-line snippet below, Schulz says, the tarfile module may be prompted to read and modify the metadata of the file before adding it to the tarball. And the result is a feat.

import tarfile

def change_name(tarinfo):
    tarinfo.name = "../" + tarinfo.name
    return tarinfo

with tarfile.open("exploit.tar", "w:xz") as tar:
    tar.add("malicious_file", filter=change_name)

According to Schulz, Trellix has built a free tool called Creosote to search for CVE-2007-4559. The software has already found the hidden bug in applications like Spyder IDE, an open-source scientific environment written for Python, and Polemarch, an IT infrastructure management service for Linux and Docker.

The company estimates the tarfile a flaw can be found “in more than 350,000 open source projects and widespread in open source projects”. He also points out that tarfile is a default module in any Python project and is present in frameworks created by AWS, Facebook, Google, and Intel, as well as applications for machine learning, automation, and Docker containers.

Trellix says it is working to make the repaired code available to affected projects.

“Thanks to our tools, we currently have patches for 11,005 repositories ready for pull requests,” Charles McFarland, vulnerability researcher for Trellix, explained in a blog post. “Each patch will be added to a forked repository and a pull request will be made over time. This will help individuals and organizations become aware of the issue and give them a one-click fix.

“Due to the size of the vulnerable projects, we expect to continue this process over the coming weeks. This is expected to reach 12.06% of all vulnerable projects, or just over 70,000 projects upon completion.”

The remaining 87.94% of affected projects may wish to consider other possible options. ®

#15yearold #Python #flaw #projects

Leave a Comment

Your email address will not be published.