原文始发于Jaroslav Lobacevski:GHSL-2022-012: Arbitrary file write during TAR extraction in Apache Hadoop – CVE-2022-26612
GHSL-2022-012: Arbitrary file write during TAR extraction in Apache Hadoop – CVE-2022-26612
Coordinated Disclosure Timeline
- 2022/02/08: Report sent to security at apache.org.
- 2022/02/09: Receipt acknowledged.
- 2022/03/10: Issue fixed in the main branch.
- 2022/03/28: v3.2.3 with the fix were released.
Summary
Function during TAR extraction follows symbolic links (symlinks) which allows writing outside expected base directory on Windows.unpackEntries
Product
Apache Hadoop
Tested Version
Latest version from the trunk
Details
Issue: arbitrary file write in on Windows (unpackEntries
GHSL-2022-012
)
unTar
uses function on Windows and the built-in utility on Unix and other OSes:unTarUsingJava
tar
if(Shell.WINDOWS) {
// Tar is not native to Windows. Use simple Java based implementation for
// tests and simple tar archives
unTarUsingJava(inFile, untarDir, gzipped);
}
else {
// spawn tar utility to untar archive for full fledged unix behavior such
// as resolving symlinks in tar archives
unTarUsingTar(inFile, untarDir, gzipped);
}
The function verifies that the extracted TAR entry is under the expected :targetDirPath
if (!outputFile.getCanonicalPath().startsWith(targetDirPath)) {
throw new IOException("expanding " + entry.getName()
+ " would create entry outside of " + outputDir);
}
However it doesn’t apply the same restriction to the target of an extracted symlink:
if (entry.isSymbolicLink()) {
// Create symbolic link relative to tar parent dir
Files.createSymbolicLink(FileSystems.getDefault()
.getPath(outputDir.getPath(), entry.getName()),
FileSystems.getDefault().getPath(entry.getLinkName())); //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
return;
}
As a result a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath
check on Unix because of the call. However on Windows doesn’t resolve symbolic links, which bypasses the check.getCanonicalPath
getCanonicalPath
Note: In general, creation of symlinks on Windows requires elevated privileges that are not granted to standard users. The privilege can be granted to standard users per or to all users globally if Developer Mode is enabled.SeCreateSymbolicLinkPrivilege
Impact
This issue allows arbitrary write outside the expected extraction directory on Windows.
CVE
- CVE-2022-26612
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at , please include a reference to in any communication regarding this issue.[email protected]
GHSL-2022-012
转载请注明:GHSL-2022-012: Arbitrary file write during TAR extraction in Apache Hadoop – CVE-2022-26612 | CTF导航