[Python] Unsafe Unpacking and TarSlip bug slaying

[Sim4n6]

CVE(s) ID list

• CVE-2022-23522
• CVE-2023-30620
• CVE-2023-31131
• CVE-2022-23530
• CVE-2022-3607

All For One submission

https://github.com/github/securitylab/issues/719

Details

• The criticality score is within the limits:
• The queries Unsafe unpacking using shutil.unpack_archive() query and tests or TarSlip vulnerability improvements have been both used to identify the vulnerabilities.
• Each published report is specific and I have been using mainly GitHub private vulnerability reporting.
• For the 05 CVEs, the vulnerability report identifies the source/sink vulnerable code.
• I did not run variant analysis at scale, since when I started reporting the TarSlip/Unsafe extraction cases, back in December 2022, it was not yet released for public use.
• I want to add that it is a bit difficult to convince using the CVSS scoring system maintainers about the severity. Some of them consider it High severity, others succumb to a bit of subjectivity.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

• [X] Yes
• [ ] No

Blog post link

https://twitter.com/sim4n6

[pwntester]

Hi @Sim4n6

Thanks for the submission!

I want to add that it is a bit difficult to convince using the CVSS scoring system maintainers about the severity. Some of them consider it High severity, others succumb to a bit of subjectivity.

Agreed, for that reason, I would like to reevaluate the severity assigned for the 3 medium/moderate CVEs. Can you provide a brief explanation for each of them detailing why they should have a higher severity? (Please include 1) How can an attacker control the untarred file, 2) permissions required and 3) Impact of being able to override a file for those specific systems)

[Sim4n6]

Hi @pwntester

Thank you very much for considering a severity reevaluation.

I would provide details on each moderate severity CVE in separate comments, please.

@Sim4n6

[Sim4n6]

CVE-2022-23530

The vulnerability was reported in GHSA-78m5-jpmf-ch7v. I've asked the maintainers for a CVE score reevaluation https://github.com/DataDog/guarddog/issues/223 but with no success ...

The vulnerable code is L153-L158 :

response = requests.get(url, stream=True)

with open(zippath, "wb") as f:
      f.write(response.raw.read())

shutil.unpack_archive(zippath, unzippedpath)

Steps in Code

• The source of url is a tarball hosted in the PyPI repository.
• Any developer could publish a package in tarball format using twine.
• When "guarddog" package is running it would retrieve the remote tarball and download_compressed. Which would lead to arbitrary file creation/overwrite.
• The integrity metric was set to Low, I suggest High https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L

[Sim4n6]

CVE-2023-31131

The report was made through GitHub's private reporting feature in here. I suggested the "Scope" metric needs to be Changed since the affected component and the vulnerable one are not the same (the underlying filesystem and gpdb). The malicious tarball could come from CLI in the gpdb CI tool.

The vulnerable code was similar to:

        # untar the package into tmp folder
        with closing(tarfile.open(self.gppkg.abspath)) as tarinfo:
            tarinfo.extractall(TEMP_EXTRACTION_PATH) 

An attacker can use this vulnerability to overwrite data or system files potentially leading to a crash or malfunction of the system. That is what the final advisory suggests. As an ethical hacker, I believe with a maliciously crafted tarball, I could own that machine (overwrite a private ssh key for instance) but that would depend on the user's permission to write on ~/.ssh/.

[Sim4n6]

CVE-2022-3607

This one is pure gold. The vulnerability was a rare full TarSlip (upload <> download any file). I mean you upload through a web app feature a malicious tarball with a symlink, that gets extracted within the server context using the web app user privileges, and then you could download any file pointed out by the symlink.

PS: You need an authenticated user and the web app is recommended to remain local, with no remote exposure.

[pwntester]

Thanks for the additional input. We have reconsider the CVSS assigned to CVE-2022-23530 and CVE-2022-3607 and therefore the submission qualifies for the bounty.

[ghsecuritylab]

Your submission is now in status Final decision.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Created Hackerone report 2023841 for bounty 488338 : [759] [Python] Unsafe Unpacking and TarSlip bug slaying