A 15-Year-Old Unpatched Python bug potentially impacts +350K projectsSecurity Affairs

More than 350,000 open source projects can be potentially affected by a 15-Year-Old unpatched Python vulnerability

More than 350,000 open source projects can be potentially affected by an unpatched Python vulnerability, tracked as CVE-2007-4559 (CVSS score: 6.8), that was discovered 15 years ago.

The issue is a Directory traversal vulnerability that resides in the ‘extract’ and ‘extractall’ functions in the tarfile module in Python. A user-assisted remote attacker can trigger the issue to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

“While investigating an unrelated vulnerability, Trellix Advanced Research Center stumbled across a vulnerability in Python’s tarfile module. Initially we thought we had found a new zero-day vulnerability. As we dug into the issue, we realized this was in fact CVE-2007-4559.” reads the post published by security firm Trellix.”The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR archive.”

The experts pointed out that the issue was underestimated, it initially received a CVSS score of 6.8, however, in most cases an attacker exploit this issue to gain code execution from the file write. Trellix shared a video PoC that shows how to get code execution by exploiting Universal Radio Hacker:

An attacker can exploit the flaw by uploading a specially crafted tarfile that allows escaping the directory that a file is intended to be extracted to and achieve code execution.

“For an attacker to take advantage of this vulnerability they need to add “..” with the separator for the operating system (“/” or “\”) into the file name to escape the directory the file is supposed to be extracted to. Python’s tarfile module lets us do exactly this:” continues the post.

tarfile python flaw.jpg
Crafting a Malicious Archive (Source Trellix)

“The tarfile module lets users add a filter that can be used to…