Skip to content

Creation of files outside the Download Folder through malicious PAR2 files

High
Safihre published GHSA-jwj3-wrvf-v3rp May 7, 2021

Package

SABnzbd

Affected versions

<3.0.0 (Windows); <3.2.1 (other operating systems)

Patched versions

3.2.1

Description

A vulnerability was discovered in SABnzbd that could trick the filesystem.renamer() function into writing downloaded files outside the configured Download Folder via malicious PAR2 files.

The vulnerability was discovered and disclosed by Puzzledsab.

Impact

Exploiting the vulnerability requires downloading an NZB file that causes malicious PAR2 and other files posted by an attacker to be retrieved from Usenet. No interaction is required, only tricking a user or automated setup of third party applications integrating with SABnzbd into adding such an NZB to the download queue.

The Download Folder in SABnzbd is user-configurable and defaults to ~/Downloads. The ability to create files elsewhere might afford the attacker the leverage to run commands or otherwise manipulate the system, for example by adding files in locations used by other programs or deplete disk space on other partitions. Files may be created anywhere the privileges of the SABnzbd process permit.

Note: an attacker is limited to creating new files; existing files will not be overwritten, modified or deleted, regardless of permissions.

Patches

Patched in commit 3766ba5, released as part of SABnzbd 3.2.1RC1.

Workarounds

Limit downloads to NZBs without PAR2 files, deny write permissions to the SABnzbd process outside areas it must access to perform its job, or update to a fixed version.

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2021-29488

Weaknesses

No CWEs

Credits