15-year-old unpatched Python bug potentially impacts +350,000 projectsSecurity Affairs

Over 350,000 Open Source Projects Could Potentially Be Affected by 15-Year-Old Unpatched Python Vulnerability

Over 350,000 open source projects may potentially be affected by an unpatched Python vulnerability, tracked as CVE-2007-4559 (CVSS score: 6.8), discovered 15 years ago.

The issue is a directory traversal vulnerability that resides in the ‘extract’ and ‘extractall’ functions of the tarfile module in Python. A remote user-assisted attacker can trigger the issue to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, an issue related to CVE-2001-1267.

“While investigating an unrelated vulnerability, Trellix Advanced Research Center came across a vulnerability in Python’s tarfile module. Initially, we thought we had found a new zero-day vulnerability. By digging into the problem, we realized that it was in fact CVE-2007-4559.” read it Publish released by security company Trellix. “The vulnerability is a path traversal attack in the extract and extract functions of the tarfile module that allows an attacker to overwrite arbitrary files by appending the sequence “..” to filenames in a TAR archive .”

Experts pointed out that the issue was underestimated, it initially received a CVSS score of 6.8, however, in most cases an attacker exploits this issue to gain code execution from writing of the file. Trellix shared a PoC video that demonstrates how to achieve code execution by exploiting universal radio pirate:

https://www.youtube.com/watch?v=jqs8S51_FRg

An attacker can exploit the flaw by uploading a specially crafted tar file that allows escaping the directory to which a file should be extracted and executing code.

“For an attacker to take advantage of this vulnerability, they must append “..” with the operating system separator (“/” or “”) in the file name to escape the directory the file is supposed to be in. be checked out. Python’s tarfile module allows us to do exactly this:” the post continues.

Creation of a malicious archive (Source Trellix)

“The tarfile module allows users to add a filter that can be used to analyze and modify a file’s metadata before it is added to the tarball. This allows attackers to create their exploits with as little as the 6 lines of code above.

The researchers built Creosote, a Python script that recursively traverses directories looking for .py files and then parsing them once found. The script is used to automatically check repositories for vulnerability. Creosote outputs the list of files that may contain vulnerabilities, sorting them into 3 categories according to the confidence level (Vulnerable, Probably Vulnerable, Potentially Vulnerable).

Trellix added that using the Creosote revealed the existence of a vulnerability in the free and open-source scientific environment Spyder Python IDE Polemarch.

“As demonstrated above, this vulnerability is incredibly easy to exploit, requiring little or no knowledge of complex security topics.” concludes the report. “Due to this fact and the prevalence of the vulnerability in the wild, Python’s tarfile module has become a huge Supply Chain threatens infrastructure around the world.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, Python)




Share on


Comments are closed.