The latest version bastet-v8.1.16 has a path traversal vulnerability that allows the attacker to create or write to files outside the current directory due to improper string comparisons between canonical paths.
How to reproduce:
wget https://github.com/CauldronDevelopmentLLC/cbang/archive/refs/tags/bastet-v8.1.16.tar.gz
tar -xzf bastet-v8.1.16.tar.gz
cd cbang-bastet-v8.1.16/tests
scons
cd tarTests
# place poc.tar in this directory
./tar --extract poc.tar
# verify attack worked
cat ../tarTests.d/config
The root cause is the return true value in function startsWith in String.cpp that passes if condition in function TarFileReader::extract in TarFileReader.cpp.
Impact:
The latest version bastet-v8.1.16 has a path traversal vulnerability that allows the attacker to create or write to files outside the current directory due to improper string comparisons between canonical paths.
How to reproduce:
Root cause:
https://github.com/CauldronDevelopmentLLC/cbang/blob/eae4b58965bdd4d54ea9eb77972674352b37a547/src/cbang/tar/TarFileReader.cpp#L102-L106
The root cause is the return true value in function startsWith in String.cpp that passes if condition in function TarFileReader::extract in TarFileReader.cpp.
PoC image:
Extract
poc.zip
to obtainpoc.tar
: poc.zip