py7zr 0.220.0 Directory Traversal

CVE-2022-449900: Path traversal vulnerability in Py7zr

Directory traversal vulnerability in SevenZipFile.extractall() function ofthe python library py7zr version 0.20.0 and earlier allow attackers to read

Malicious 7z file extract allows you to access arbitrary files locally.

CVE-2022-44900

An attacker can exploit a vulnerability to gain arbitrary file access and arbitrary write permissions

File write. An attacker must create a malicious archive 7z to do this.

A symlink is used to access an arbitrary file and/or a file with the same name.

Path traversal payload is used to reach an arbitrary file writing.

Exploiting

This is the test script:

Import py7zr

Click to import

@click.command()

@click.argument(“filename”)

def main_procedure(filename):

with py7zr.SevenZipFile(filename, ‘r’) as archive:

archive.extractall()

main_procedure()

The vulnerabile function targeted is py7zr.SevenZipFile.extractall().

To test for vulnerability, a lab was built. Directory

These were the structures used

+– start_point

| +– archive.7z

| +– py7zr_test.py

Target +-

+– Write

+–

Start_point contains scripts used in tests and development.

Malicious archive that contains the path traversal paymentload in the form.

Filename for an archived file.

One of the archive files must be used to perform an arbitrary file reading.

it is necessary to set../target/write as the name. You will see the contents of your file.

Written into target/write

Similar to the previous example, you can also use a symlink to access an arbitrary file.

The archive must contain../target/read Once extracted, the

Symlinks will contain the target/read content.

Timeline for disclosure

29/10/2022: Maintainer was privately notified of vulnerabilities

30/10/2022: Response from the maintainer

01/11/2022: Release of the patched version 0.0.20.1

CVE ID Request 01/11/2022

06/12/2022 – CVE ID obtained

06/12/2022 Public Disclosure

——————————