Lucene search
Matteo CosentinoPACKETSTORM:170127HistoryDec 07, 2022 - 12:00 a.m.
py7zr 0.20.0 Directory Traversal
2022-12-0700:00:00
Matteo Cosentino
packetstormsecurity.com
170
vulnerability
py7zr
directory traversal
sevenzipfile
extractall
arbitrary file read
arbitrary file write
cve-2022-44900
patch
public disclosure
0.008 Low
EPSS
Percentile
81.3%
`CVE-2022-44900: path traversal vulnerability in py7zr
Directory traversal vulnerability in SevenZipFile.extractall() function of
the python library py7zr version 0.20.0 and earlier allow attackers to read
arbitrary files on the local machine via malicious 7z file extraction.
CVE-2022-44900 <https://www.cve.org/CVERecord?id=CVE-2022-44900>
vulnerability allows attackers to achieve arbitrary file read and arbitrary
file write. To do so, an attacker needs to create a malicious 7z archive
containing a symlink to achieve an arbitrary file read and a file with a
path traversal payload as name to achieve an arbitrary file write.
Exploiting
The script used for tests is the following:
import py7zr
import click
@click.command()
@click.argument("filename")
def main_procedure(filename):
with py7zr.SevenZipFile(filename, 'r') as archive:
archive.extractall()
main_procedure()
The vulnerabile function targeted is py7zr.SevenZipFile.extractall().
A lab setup has been built to test for vulnerabilities. Directories
structured as follow were used:
āāā start_point
ā āāā archive.7z
ā āāā py7zr_test.py
āāā target
āāā write
āāā read
The start_point directory contains the script used for tests and the
malicious archive containing the path traversal payload in the form of the
filename of an archived file.
To achieve an arbitrary file read, one of the files in the archives needs
to have ../target/write set as name. The content of the file will be
written into target/write.
In a similar way, to achieve an arbitrary file read, a symlink pointing to
../target/read needs to be present in the archive. When extracted the
symlink will consist of the content of target/read.
Disclosure timeline
29/10/2022 - Maintainer was notified privately of the vulnerabilities
30/10/2022 - Response from maintainer
01/11/2022 - Release of patched version 0.20.1
01/11/2022 - CVE ID request
06/12/2022 - CVE ID obtained
06/12/2022 - Public disclosure
------------------------------
`
Related
githubexploit
githubexploit
Exploit for Path Traversal in Py7Zr Project Py7Zr
2023-01-21 14:52:59
osv
osv
CVE-2022-44900
2022-12-06 20:15:10
py7zr - security update
2024-04-02 00:00:00
PYSEC-2022-42998
2022-12-06 20:15:00
veracode
veracode
Directory Traversal
2022-12-08 10:56:43
openvas
openvas
Debian: Security Advisory (DSA-5652-1)
2024-04-04 00:00:00
nvd
nvd
CVE-2022-44900
2022-12-06 20:15:10
debiancve
debiancve
CVE-2022-44900
2022-12-06 20:15:10
ubuntucve
ubuntucve
CVE-2022-44900
2022-12-06 00:00:00
debian
debian
[SECURITY] [DSA 5652-1] py7zr security update
2024-04-02 18:01:49
cvelist
cvelist
CVE-2022-44900
2022-12-06 00:00:00
cve
cve
CVE-2022-44900
2022-12-06 20:15:10
prion
prion
Directory traversal
2022-12-06 20:15:00
zdt
zdt
py7zr 0.20.0 Directory Traversal Vulnerability
2022-12-07 00:00:00
nessus
nessus
Debian dsa-5652 : python-py7zr-doc - security update
2024-04-02 00:00:00
github
github
py7zr directory traversal vulnerability
2022-12-06 21:30:45