Thursday, February 6, 2025
HomeCVE/vulnerability15-Year-Old Python Bug Let Hacker Execute Code in 350k Python Projects

15-Year-Old Python Bug Let Hacker Execute Code in 350k Python Projects

Published on

SIEM as a Service

Follow Us on Google News

The cybersecurity researchers at Trellix have recently identified a 15-year-old Python bug that has been found to potentially impact 350,000 open-source repositories. There is a possibility that this bug could lead to the execution of code.

This 15-year-old Python bug was disclosed in 2007 and has been tracked as CVE-2007-4559. Despite this, no patch was provided to mitigate the security issue. It was only mitigated by an update to the documentation that alerted developers to the risks.

Several industry verticals are represented by the open source repositories, including:-

  • Software development
  • Artificial intelligence
  • Machine learning
  • Web development
  • Media
  • Security
  • IT management

The tarfile module is affected by this security flaw, which was rated 6.8 by CVSS.

Tarfile Flaw

A tar file is composed of several files that are bundled together with metadata and other information about the files. In order to unarchive the tar file in the future, it is necessary to use this metadata.

A tar archive contains a variety of metadata containing information that can range from the following:- 

  • File name
  • File size 
  • Checksum of the file
  • File owner information

This information is represented in the Python tarfile module by a class called TarInfo, which represents this information. A tar archive generates this information for each member. 

Several different types of structures can be represented using these members in a filesystem, including:-

  • Directories
  • Symbolic links
  • Files

There is an explicit trust in the information contained within the TarInfo object within the code. This is followed by joining the path that was passed to the extract function with the current path.

Tarfile Exploit

This vulnerability can be exploited by an attacker if they add “..” with the separator for their operating system (“/” or “\”) into the filename. 

So they can escape the directory where the file is supposed to be extracted to take advantage of this vulnerability. The tarfile module in Python allows us to do precisely this:-

A filter can be added to the tarfile module to manipulate the metadata of a file before it is included in the archive. By using as little as six lines of code, attackers are able to create their exploits.

A researcher from Trellix rediscovered CVE-2007-4559 earlier this year during the investigation of a different security vulnerability.

In this case, an attacker could gain access to the file system via a directory traversal vulnerability caused by the failure of the tarfile.extract() and tarfile.extractall() functions to sanitize their members’ files.

Over 350,000 Projects Affected

The researchers developed a crawler that allowed them to identify 257 repositories that most likely contained the vulnerable code through the use of this crawler. 

These repositories were examined in 175 instances to determine if one of them contained it. As a result, it turned out that 61% of them were susceptible to attacks.

Based on the small sample set, an estimation of all impacted repositories on GitHub was derived from the sample set by using it as a baseline.

Trellix affirmed that the number of vulnerable repositories in their repository exceeds 350,000 based upon the 61% vulnerability rate that is manually verified. They are frequently used by machine learning tools that facilitate the development of faster and more accurate projects for developers.

For the provision of auto-complete options, these tools use code from hundreds of thousands of repositories in order to do so. The developer would not be aware that an issue has been propagated to other processes when they provide insecure code.

Trellix further developed a custom tool, Creosote, which enables users to check whether a project is vulnerable to CVE-2007-4559, as well as other vulnerabilities.

Spyder IDE as well as Polemarch were found to have a vulnerability that could be exploited by using it. However, over 11,000 projects have been patched by Trellix. 

It is expected that more than 70,000 projects are going to be fixed in the next few weeks because of the large number of project repositories affected by the bug.

Download Free SWG – Secure Web Filtering – E-book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Paragon Spyware Allegedly Ends Spyware Contract with Italy

Paragon Solutions, an Israeli cybersecurity firm, has reportedly ended its spyware contract with Italy.The...

Authorities Arrested Hacker Who Compromised 40+ Organizations

Spanish authorities have arrested a hacker believed to be responsible for cyberattacks targeting over...

OpenAI Data Breach – Threat Actor Allegedly Claims 20 Million Logins for Sale

OpenAI may have become the latest high-profile target of a significant data breach.A...

Lumma Stealer Attacking Windows Users In India With Fake Captcha Pages

Cybersecurity experts are raising alarms over a new wave of attacks targeting Windows users...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Paragon Spyware Allegedly Ends Spyware Contract with Italy

Paragon Solutions, an Israeli cybersecurity firm, has reportedly ended its spyware contract with Italy.The...

Authorities Arrested Hacker Who Compromised 40+ Organizations

Spanish authorities have arrested a hacker believed to be responsible for cyberattacks targeting over...

OpenAI Data Breach – Threat Actor Allegedly Claims 20 Million Logins for Sale

OpenAI may have become the latest high-profile target of a significant data breach.A...