There is a vulnerability in unarr, which will lead to path traversal vulnerability #21
Comments
|
Could you provide instructions on producing a exploit sample (or provide such sample)? |
gen2brain
added a commit
that referenced
this issue
Jun 21, 2022
gen2brain
added a commit
that referenced
this issue
Jun 21, 2022
|
This should be fixed in 239ec40. The Name() is sanitized, i.e. |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
There is a vulnerability in unarr, which will lead to path traversal vulnerability
Go unarr does not check the contents of the archive.
Exploit process
An attacker can construct a malicious tar package (or any compressed archive file).
As shown in the figure below, obviously, this will not succeed under the tar command, because the tar command fixes the vulnerability.
The victim uses go unarr to unzip the archive
As shown in the figure below, path traversal occurs during go unarr decompression, and we upload the file to the.. / directory
By triggering the path traversal vulnerability, an attacker can store any file in any privileged place (which means that rce can be caused under root privileges)
The text was updated successfully, but these errors were encountered: