Saturday, November 9, 2024
HomeCVE/vulnerability15-Year-Old Python Bug Let Hacker Execute Code in 350k Python Projects

15-Year-Old Python Bug Let Hacker Execute Code in 350k Python Projects

Published on

Malware protection

The cybersecurity researchers at Trellix have recently identified a 15-year-old Python bug that has been found to potentially impact 350,000 open-source repositories. There is a possibility that this bug could lead to the execution of code.

This 15-year-old Python bug was disclosed in 2007 and has been tracked as CVE-2007-4559. Despite this, no patch was provided to mitigate the security issue. It was only mitigated by an update to the documentation that alerted developers to the risks.

Several industry verticals are represented by the open source repositories, including:-

- Advertisement - SIEM as a Service
  • Software development
  • Artificial intelligence
  • Machine learning
  • Web development
  • Media
  • Security
  • IT management

The tarfile module is affected by this security flaw, which was rated 6.8 by CVSS.

Tarfile Flaw

A tar file is composed of several files that are bundled together with metadata and other information about the files. In order to unarchive the tar file in the future, it is necessary to use this metadata.

A tar archive contains a variety of metadata containing information that can range from the following:- 

  • File name
  • File size 
  • Checksum of the file
  • File owner information

This information is represented in the Python tarfile module by a class called TarInfo, which represents this information. A tar archive generates this information for each member. 

Several different types of structures can be represented using these members in a filesystem, including:-

  • Directories
  • Symbolic links
  • Files

There is an explicit trust in the information contained within the TarInfo object within the code. This is followed by joining the path that was passed to the extract function with the current path.

Tarfile Exploit

This vulnerability can be exploited by an attacker if they add “..” with the separator for their operating system (“/” or “\”) into the filename. 

So they can escape the directory where the file is supposed to be extracted to take advantage of this vulnerability. The tarfile module in Python allows us to do precisely this:-

A filter can be added to the tarfile module to manipulate the metadata of a file before it is included in the archive. By using as little as six lines of code, attackers are able to create their exploits.

A researcher from Trellix rediscovered CVE-2007-4559 earlier this year during the investigation of a different security vulnerability.

In this case, an attacker could gain access to the file system via a directory traversal vulnerability caused by the failure of the tarfile.extract() and tarfile.extractall() functions to sanitize their members’ files.

Over 350,000 Projects Affected

The researchers developed a crawler that allowed them to identify 257 repositories that most likely contained the vulnerable code through the use of this crawler. 

These repositories were examined in 175 instances to determine if one of them contained it. As a result, it turned out that 61% of them were susceptible to attacks.

Based on the small sample set, an estimation of all impacted repositories on GitHub was derived from the sample set by using it as a baseline.

Trellix affirmed that the number of vulnerable repositories in their repository exceeds 350,000 based upon the 61% vulnerability rate that is manually verified. They are frequently used by machine learning tools that facilitate the development of faster and more accurate projects for developers.

For the provision of auto-complete options, these tools use code from hundreds of thousands of repositories in order to do so. The developer would not be aware that an issue has been propagated to other processes when they provide insecure code.

Trellix further developed a custom tool, Creosote, which enables users to check whether a project is vulnerable to CVE-2007-4559, as well as other vulnerabilities.

Spyder IDE as well as Polemarch were found to have a vulnerability that could be exploited by using it. However, over 11,000 projects have been patched by Trellix. 

It is expected that more than 70,000 projects are going to be fixed in the next few weeks because of the large number of project repositories affected by the bug.

Download Free SWG – Secure Web Filtering – E-book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...

Researchers Detailed Credential Abuse Cycle

The United States Department of Justice has unsealed an indictment against Anonymous Sudan, a...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...