exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

py7zr 0.20.0 Directory Traversal

py7zr 0.20.0 Directory Traversal
Posted Dec 7, 2022
Authored by Matteo Cosentino

A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr versions 0.20.0 and earlier allows attackers to read arbitrary files on the local machine via a malicious 7z file extraction.

tags | exploit, arbitrary, local, python, file inclusion
advisories | CVE-2022-44900
SHA-256 | 7aa7ca72652dab91234127d8332a19316f0f61be17e1c626e65aae18d9435347

py7zr 0.20.0 Directory Traversal

Change Mirror Download
CVE-2022-44900: path traversal vulnerability in py7zr

Directory traversal vulnerability in SevenZipFile.extractall() function of
the python library py7zr version 0.20.0 and earlier allow attackers to read
arbitrary files on the local machine via malicious 7z file extraction.

CVE-2022-44900 <https://www.cve.org/CVERecord?id=CVE-2022-44900>
vulnerability allows attackers to achieve arbitrary file read and arbitrary
file write. To do so, an attacker needs to create a malicious 7z archive
containing a symlink to achieve an arbitrary file read and a file with a
path traversal payload as name to achieve an arbitrary file write.
Exploiting

The script used for tests is the following:

import py7zr
import click

@click.command()
@click.argument("filename")

def main_procedure(filename):
with py7zr.SevenZipFile(filename, 'r') as archive:
archive.extractall()

main_procedure()

The vulnerabile function targeted is py7zr.SevenZipFile.extractall().

A lab setup has been built to test for vulnerabilities. Directories
structured as follow were used:

├── start_point
│ ├── archive.7z
│ └── py7zr_test.py
└── target
├── write
└── read

The start_point directory contains the script used for tests and the
malicious archive containing the path traversal payload in the form of the
filename of an archived file.

To achieve an arbitrary file read, one of the files in the archives needs
to have ../target/write set as name. The content of the file will be
written into target/write.

In a similar way, to achieve an arbitrary file read, a symlink pointing to
../target/read needs to be present in the archive. When extracted the
symlink will consist of the content of target/read.
Disclosure timeline

29/10/2022 - Maintainer was notified privately of the vulnerabilities
30/10/2022 - Response from maintainer
01/11/2022 - Release of patched version 0.20.1
01/11/2022 - CVE ID request
06/12/2022 - CVE ID obtained
06/12/2022 - Public disclosure
------------------------------
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close