Path traversal bug in TarFileReader::extract #115

eqawasm · 2023-04-04T19:34:00Z

Impact:

The latest version bastet-v8.1.16 has a path traversal vulnerability that allows the attacker to create or write to files outside the current directory due to improper string comparisons between canonical paths.

How to reproduce:

wget https://github.com/CauldronDevelopmentLLC/cbang/archive/refs/tags/bastet-v8.1.16.tar.gz
tar -xzf bastet-v8.1.16.tar.gz
cd cbang-bastet-v8.1.16/tests
scons
cd tarTests
# place poc.tar in this directory
./tar --extract poc.tar
# verify attack worked
cat ../tarTests.d/config

Root cause:

cbang/src/cbang/tar/TarFileReader.cpp

Lines 102 to 106 in eae4b58

    
             string a = SystemUtilities::getCanonicalPath(_path); 
        
             string b = SystemUtilities::getCanonicalPath(path); 
        
             if (!String::startsWith(b, a)) 
        
               THROW("Tar path points outside of the extraction directory: " << path); 
        
           }

The root cause is the return true value in function startsWith in String.cpp that passes if condition in function TarFileReader::extract in TarFileReader.cpp.

PoC image:

Extract poc.zip to obtain poc.tar: poc.zip

The text was updated successfully, but these errors were encountered:

jcoffland · 2023-04-11T09:50:39Z

I believe the above commit fixes the issue. Thanks!

jcoffland added a commit that referenced this issue Apr 11, 2023

Path traversal bug in TarFileReader::extract() #115

ac8bbdd

jcoffland closed this as completed Apr 11, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Path traversal bug in TarFileReader::extract #115

Path traversal bug in TarFileReader::extract #115

eqawasm commented Apr 4, 2023

jcoffland commented Apr 11, 2023

Path traversal bug in TarFileReader::extract #115

Path traversal bug in TarFileReader::extract #115

Comments

eqawasm commented Apr 4, 2023

jcoffland commented Apr 11, 2023