Python Tarfile Flaw Sneaks In Over 350,000 Open Source Projects
Reading Time: 2 minutes

A 15 year old flaw sneaks in over 350000  open source projects. Cyber Security researchers at Trellix discovered a vulnerability in Python’s tarfile module. 

Bad actors exploit this flaw to read and write compressed bundles of files known as tar archives. Earlier they believed it to be zero-day. The bug persisted for over a decade by waiting until it was about to be destroyed.

Python Tarfile flaw has been identified as CVE-2007-4559, was discovered on August 24, 2007, in a Python mailing list post, by Python package maintainer for SUSE, Jan Matejek. Bad actors can potentially overwrite and hijack files on a victim’s machine, when a vulnerable application opens a malicious tar archive via tarfile.

Earlier Matejek explained, “The vulnerability goes basically like this: If you tar a file named “../../../../../etc/passwd” and then make the admin untar it, /etc/passwd gets overwritten.”

Tomas Hoger, a software engineer at Red Hat on August 29, 2007 reported the tarfile directory traversal flaw. The fix was added a day earlier by Lars Gustäbel, maintainer of the tarfile module, a default check_paths parameter to the TarFile.extractall() method and it throws an error if a tar archive file path is insecure.

Gustäbel, the creator of tarfile.py, wrote that the code is not a security issue; the code conforms to POSIX standards and the documentation has addressed the risks by advising users against extracting archives from untrusted sources.

The documentation explicitly warns the user not to extract archives from an untrusted source, but as a result, the extract() and extractall() functions are still at-risk of path traversal.

An arbitrary file overwrite vulnerability was found in the extract and extractall functions in the tarfile module. The issue can be exploited by adding a dot (‘..’) to filenames in an archive. Kasimir Schulz published this information in a blog post.

This code will change the current working directory to the parent directory, enabling you to add a file in one specific location without modifying the location. This is not an exploit.

Schulz recommends that you scan your application for CVE-2007-4559 by using the software Creosote. It has found the bug lurking inside programs like Spyder IDE and Polemarch, which are both written in Python.

Trellix is looking to remedy vulnerability issues with their web application. They’re able to fix vulnerabilities in 11,005 different repositories by using a one click hack.

In the coming weeks, 12.06% of all Active Installs will be updated, with a little over 70K projects to be patched by the end of the process. The rest of the 87.94 % affected projects may wish to consider other possible options.

Related Articles:
Cryptocurrency Market Maker Wintermute loses $160m in Cyber-Heist
Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware
How Uber security was breached This Month by Lapsus$ Gang?