CVE-2022-23530: GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package

First published: Mon Dec 05 2022(Updated: )

### Summary Unsafe extracting using `shutil.unpack_archive()` from a remotely retrieved tarball may lead to writing the extracted file to an unintended destination. ### Details Extracting files using `shutil.unpack_archive()` from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. The vulnerable code snippet is between [L153..158](https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158). ```python response = requests.get(url, stream=True) with open(zippath, "wb") as f: f.write(response.raw.read()) shutil.unpack_archive(zippath, unzippedpath) ``` It seems that a remotely retrieved tarball which could be with the extension `.tar.gz` happens to be unpacked using `shutil.unpack_archive()` with no destination verification/limitation of the extracted files. ### PoC The PoC provided showcases the risk of extracting the non-harmless text file `sim4n6.txt` to a parent location rather than the current folder. ```bash > tar --list -f archive.tar tar: Removing leading `../../../' from member names ../../../sim4n6.txt > python3 Python 3.10.6 (main, Nov 2 2022, 18:53:38) [GCC 11.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import shutil >>> shutil.unpack_archive("archive.tar") >>> exit() > file ../../../sim4n6.txt ../../../sim4n6.txt: ASCII text ``` ### A Potential Attack Scenario - An attacker may craft a malicious tarball with a filename path, such as `../../../../../../../../etc/passwd`, and then serve the archive remotely, thus, providing a possibility to overwrite the system files. ### Mitigation Potential mitigation could be to: - Use a safer module, like `zipfile`. - Validate the location of the extracted files and discard those with malicious paths such as a relative path `..` or absolute ones.

Credit: security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/type
• collector/mitre-cve
• source/MITRE
• agent/weakness
• agent/title
• agent/severity
• agent/remedy
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-78m5-jpmf-ch7v
• alias/CVE-2022-23530
• agent/software-canonical-lookup
• agent/last-modified-date
• agent/references
• agent/author
• agent/description
• agent/first-publish-date
• collector/nvd-cve
• source/NVD
• agent/softwarecombine
• agent/event
• collector/github-advisory
• agent/trending
• agent/tags
• agent/source
• vendor/datadoghq
• canonical/datadoghq guarddog
• package-manager/pip