You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The latest version bastet-v8.1.16 has a path traversal vulnerability that allows the attacker to create or write to files outside the current directory due to improper string comparisons between canonical paths.
How to reproduce:
wget https://github.com/CauldronDevelopmentLLC/cbang/archive/refs/tags/bastet-v8.1.16.tar.gz
tar -xzf bastet-v8.1.16.tar.gz
cd cbang-bastet-v8.1.16/tests
scons
cd tarTests
# place poc.tar in this directory
./tar --extract poc.tar
# verify attack worked
cat ../tarTests.d/config
string a = SystemUtilities::getCanonicalPath(_path);
string b = SystemUtilities::getCanonicalPath(path);
if (!String::startsWith(b, a))
THROW("Tar path points outside of the extraction directory: " << path);
}
The root cause is the return true value in function startsWith in String.cpp that passes if condition in function TarFileReader::extract in TarFileReader.cpp.
Impact:
The latest version bastet-v8.1.16 has a path traversal vulnerability that allows the attacker to create or write to files outside the current directory due to improper string comparisons between canonical paths.
How to reproduce:
Root cause:
cbang/src/cbang/tar/TarFileReader.cpp
Lines 102 to 106 in eae4b58
The root cause is the return true value in function startsWith in String.cpp that passes if condition in function TarFileReader::extract in TarFileReader.cpp.
PoC image:
Extract
poc.zip
to obtainpoc.tar
: poc.zipThe text was updated successfully, but these errors were encountered: