15-Year-Old Python Bug Let Hacker Execute Code in 350k Python Projects

The cybersecurity researchers at Trellix have recently identified a 15-year-old Python bug that has been found to potentially impact 350,000 open-source repositories. There is a possibility that this bug could lead to the execution of code.

This 15-year-old Python bug was disclosed in 2007 and has been tracked as CVE-2007-4559. Despite this, no patch was provided to mitigate the security issue. It was only mitigated by an update to the documentation that alerted developers to the risks.

Several industry verticals are represented by the open source repositories, including:-

  • Software development
  • Artificial intelligence
  • Machine learning
  • Web development
  • Media
  • Security
  • IT management
EHA

The tarfile module is affected by this security flaw, which was rated 6.8 by CVSS.

[embedded content]

Tarfile Flaw

A tar file is composed of several files that are bundled together with metadata and other information about the files. In order to unarchive the tar file in the future, it is necessary to use this metadata.

A tar archive contains a variety of metadata containing information that can range from the following:- 

  • File name
  • File size 
  • Checksum of the file
  • File owner information

This information is represented in the Python tarfile module by a class called TarInfo, which represents this information. A tar archive generates this information for each member. 

Several different types of structures can be represented using these members in a filesystem, including:-

  • Directories
  • Symbolic links
  • Files

There is an explicit trust in the information contained within the TarInfo object within the code. This is followed by joining the path that was passed to the extract function with the current path.

Tarfile Exploit

This vulnerability can be exploited by an attacker if they add “..” with the separator for their operating system (“/” or “”) into the filename. 

So they can escape the directory where the file is supposed to be extracted to take advantage of this vulnerability. The tarfile module in Python allows us to do precisely this:-

A filter can be added to the tarfile module to manipulate the metadata of a file before it is included in the archive. By using as little as six lines of code, attackers are able to create their exploits.

A researcher from Trellix rediscovered CVE-2007-4559 earlier this year during the investigation of a different security vulnerability.

In this case, an attacker could gain access to the file system via a directory traversal vulnerability caused by the failure of the tarfile.extract() and tarfile.extractall() functions to sanitize their members’ files.

Over 350,000 Projects Affected

The researchers developed a crawler that allowed them to identify 257 repositories that most likely contained the vulnerable code through the use of this crawler. 

These repositories were examined in 175 instances to determine if one of them contained it. As a result, it turned out that 61% of them were susceptible to attacks.

Based on the small sample set, an estimation of all impacted repositories on GitHub was derived from the sample set by using it as a baseline.

Trellix affirmed that the number of vulnerable repositories in their repository exceeds 350,000 based upon the 61% vulnerability rate that is manually verified. They are frequently used by machine learning tools that facilitate the development of faster and more accurate projects for developers.

For the provision of auto-complete options, these tools use code from hundreds of thousands of repositories in order to do so. The developer would not be aware that an issue has been propagated to other processes when they provide insecure code.

Trellix further developed a custom tool, Creosote, which enables users to check whether a project is vulnerable to CVE-2007-4559, as well as other vulnerabilities.

[embedded content]

Spyder IDE as well as Polemarch were found to have a vulnerability that could be exploited by using it. However, over 11,000 projects have been patched by Trellix. 

It is expected that more than 70,000 projects are going to be fixed in the next few weeks because of the large number of project repositories affected by the bug.

Download Free SWG – Secure Web Filtering – E-book

Posted by Charlie