search

CauldronDevelopmentLLC / cbang

C! (cbang) is a library for cross-platform C++ development.
GNU Lesser General Public License v2.1
56 stars 39 forks source link

Path traversal bug in TarFileReader::extract #115

Closed eqawasm closed 1 year ago

eqawasm commented 1 year ago

Impact: 

The latest version bastet-v8.1.16 has a path traversal vulnerability that allows the attacker to create or write to files outside the current directory due to improper string comparisons between canonical paths.

  How to reproduce: 

wget https://github.com/CauldronDevelopmentLLC/cbang/archive/refs/tags/bastet-v8.1.16.tar.gz
tar -xzf bastet-v8.1.16.tar.gz
cd cbang-bastet-v8.1.16/tests
scons
cd tarTests
# place poc.tar in this directory
./tar --extract poc.tar
# verify attack worked
cat ../tarTests.d/config

Root cause:

https://github.com/CauldronDevelopmentLLC/cbang/blob/eae4b58965bdd4d54ea9eb77972674352b37a547/src/cbang/tar/TarFileReader.cpp#L102-L106

The root cause is the return true value in function startsWith in String.cpp that passes if condition in function TarFileReader::extract  in TarFileReader.cpp.

PoC image:

Extract poc.zip to obtain poc.tar: poc.zip

jcoffland commented 1 year ago

I believe the above commit fixes the issue. Thanks!