The latest version bastet-v8.1.16 has a path traversal vulnerability that allows the attacker to create or write to files outside the current directory due to improper string comparisons between canonical paths.
How to reproduce:
wget https://github.com/CauldronDevelopmentLLC/cbang/archive/refs/tags/bastet-v8.1.16.tar.gz
tar -xzf bastet-v8.1.16.tar.gz
cd cbang-bastet-v8.1.16/tests
scons
cd tarTests
# place poc.tar in this directory
./tar --extract poc.tar
# verify attack worked
cat ../tarTests.d/config
string a = SystemUtilities::getCanonicalPath(_path);
string b = SystemUtilities::getCanonicalPath(path);
if (!String::startsWith(b, a))
THROW("Tar path points outside of the extraction directory: " << path);
}
The root cause is the return true value in function startsWith in String.cpp that passes if condition in function TarFileReader::extract in TarFileReader.cpp.
Impact:
The latest version bastet-v8.1.16 has a path traversal vulnerability that allows the attacker to create or write to files outside the current directory due to improper string comparisons between canonical paths.
How to reproduce:
Root cause:
cbang/src/cbang/tar/TarFileReader.cpp
Lines 102 to 106 in eae4b58
The root cause is the return true value in function startsWith in String.cpp that passes if condition in function TarFileReader::extract in TarFileReader.cpp.
PoC image:
Extract
poc.zipto obtainpoc.tar: poc.zipThe text was updated successfully, but these errors were encountered: