Security
Headlines
HeadlinesLatestCVEs

Headline

py7zr 0.20.0 Directory Traversal

A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr versions 0.20.0 and earlier allows attackers to read arbitrary files on the local machine via a malicious 7z file extraction.

Packet Storm
#vulnerability#mac

CVE-2022-44900: path traversal vulnerability in py7zr

Directory traversal vulnerability in SevenZipFile.extractall() function of
the python library py7zr version 0.20.0 and earlier allow attackers to read
arbitrary files on the local machine via malicious 7z file extraction.

CVE-2022-44900 https://www.cve.org/CVERecord?id=CVE-2022-44900
vulnerability allows attackers to achieve arbitrary file read and arbitrary
file write. To do so, an attacker needs to create a malicious 7z archive
containing a symlink to achieve an arbitrary file read and a file with a
path traversal payload as name to achieve an arbitrary file write.
Exploiting

The script used for tests is the following:

import py7zr
import click

@click.command()
@click.argument(“filename”)

def main_procedure(filename):
with py7zr.SevenZipFile(filename, ‘r’) as archive:
archive.extractall()

main_procedure()

The vulnerabile function targeted is py7zr.SevenZipFile.extractall().

A lab setup has been built to test for vulnerabilities. Directories
structured as follow were used:

├── start_point
│ ├── archive.7z
│ └── py7zr_test.py
└── target
├── write
└── read

The start_point directory contains the script used for tests and the
malicious archive containing the path traversal payload in the form of the
filename of an archived file.

To achieve an arbitrary file read, one of the files in the archives needs
to have …/target/write set as name. The content of the file will be
written into target/write.

In a similar way, to achieve an arbitrary file read, a symlink pointing to
…/target/read needs to be present in the archive. When extracted the
symlink will consist of the content of target/read.
Disclosure timeline

29/10/2022 - Maintainer was notified privately of the vulnerabilities
30/10/2022 - Response from maintainer
01/11/2022 - Release of patched version 0.20.1
01/11/2022 - CVE ID request
06/12/2022 - CVE ID obtained
06/12/2022 - Public disclosure


Related news

Ubuntu Security Notice USN-7030-1

Ubuntu Security Notice 7030-1 - It was discovered that py7zr was vulnerable to path traversal attacks. If a user or automated system were tricked into extracting a specially crafted 7z archive, an attacker could possibly use this issue to write arbitrary files outside the target directory on the host.

Debian Security Advisory 5652-1

Debian Linux Security Advisory 5652-1 - A directory traversal vulnerability was discovered in py7zr, a library and command-line utility to process 7zip archives.

GHSA-m8xw-9x5x-6vh3: py7zr directory traversal vulnerability

A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.

CVE-2022-44900: Fix sanity check for path traversal attack · miurahr/py7zr@1bb43f1

A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.

Packet Storm: Latest News

Pyload Remote Code Execution