GHSA-47WR-426J-FR82
Vulnerability from github – Published: 2022-02-12 00:14 – Updated: 2021-05-21 18:35Impact
Users unpacking a tarball through dbdeployer may use a maliciously packaged tarball that contains symlinks to files external to the target. In such scenario, an attacker could induce dbdeployer to write into a system file, thus altering the computer defences.
Mitigating factors
For the attach to succeed, the following factors need to contribute:
- The user is logged in as root. While dbdeployer is usable as root, it was designed to run as unprivileged user.
- The user has taken a tarball from a non secure source, without testing the checksum. When the tarball is retrieved through dbdeployer, the checksum is compared before attempting to unpack.
Analysis
An attacker could inject a symbolic link into the tarball, so that a file could result into fake_file -> /etc/passwd or some equally important file.
As it is now, dbdeployer would create the symlink as defined, with a local file fake_file linked to /etc/passwd. The danger here is that any process with the privileges to write to both fake_file and /etc/passwd could overwrite the system file. Even without malicious intent, this could result in the system to become unusable.
As noted above, the user must have write privileges to the target file to do the damage.
Remedies
It has been suggested that the extract procedure use filepath.EvalSymlinks to determine whether the target is within the extraction directory. Unfortunately, this approach is unavailable in this context, because it would prevent legitimate patterns from being carried out.
A simple case is a file mysql-8.0.22-macos10.15-x86_64/bin/libprotobuf-lite.3.11.4.dylib with a linkName ../lib/libprotobuf-lite.3.11.4.dylib, if the linked file has not been created yet, filepath.EvalSymlinks would fail, as it acts on existing files only.
An alternative method is comparing the depth (how many directories) of the file name with the depth of the link name. If the link name has a higher depth than the local file, we block the operation with an appropriate error:
Unpacking tarball exploit/mysql-8.0.22-macos10.15-x86_64.tar.gz to $HOME/opt/mysql/test8.0.22
......
link '../../../../../../../../../../etc' points outside target directory
exit status 1
As an additional fortifier, we can check whether the link points to an existing file, calculate its absolute name, and compare it with the absolute name of the extraction directory. A link to a full path (such as /etc/passwd) would fail this test, and trigger an error.
The same check can be applied to a link to a non existing file with absolute path.
Patches
Patched in release 1.58.2
For more information
If you have any questions or comments about this advisory: * Open an issue in dbdeployer
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/datacharmer/dbdeployer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.58.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26277"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-21T18:35:39Z",
"nvd_published_at": "2020-12-21T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n_Users unpacking a tarball through dbdeployer may use a maliciously packaged tarball that contains symlinks to files external to the target. In such scenario, an attacker could induce dbdeployer to write into a system file, thus altering the computer defences._\n\n### Mitigating factors\nFor the attach to succeed, the following factors need to contribute:\n\n* The user is logged in as root. While dbdeployer is usable as root, it was designed to run as unprivileged user.\n* The user has taken a tarball from a non secure source, without testing the checksum. When the tarball is retrieved through dbdeployer, the checksum is compared before attempting to unpack.\n\n### Analysis\n\nAn attacker could inject a symbolic link into the tarball, so that a file could result into `fake_file -\u003e /etc/passwd` or some equally important file.\nAs it is now, dbdeployer would create the symlink as defined, with a local file `fake_file` linked to `/etc/passwd`. The danger here is that any process with the privileges to write to both `fake_file` and `/etc/passwd` could overwrite the system file. Even without malicious intent, this could result in the system to become unusable.\nAs noted above, the user must have write privileges to the target file to do the damage.\n\n### Remedies\n\nIt has been suggested that the extract procedure use `filepath.EvalSymlinks` to determine whether the target is within the extraction directory. Unfortunately, this approach is unavailable in this context, because it would prevent legitimate patterns from being carried out.\nA simple case is a file `mysql-8.0.22-macos10.15-x86_64/bin/libprotobuf-lite.3.11.4.dylib` with a linkName `../lib/libprotobuf-lite.3.11.4.dylib`, if the linked file has not been created yet, `filepath.EvalSymlinks` would fail, as it acts on existing files only.\n\nAn alternative method is comparing the depth (how many directories) of the file name with the depth of the link name. If the link name has a higher depth than the local file, we block the operation with an appropriate error:\n\n```\nUnpacking tarball exploit/mysql-8.0.22-macos10.15-x86_64.tar.gz to $HOME/opt/mysql/test8.0.22\n......\nlink \u0027../../../../../../../../../../etc\u0027 points outside target directory\n\nexit status 1\n```\nAs an additional fortifier, we can check whether the link points to an existing file, calculate its absolute name, and compare it with the absolute name of the extraction directory. A link to a full path (such as `/etc/passwd`) would fail this test, and trigger an error.\n\nThe same check can be applied to a link to a non existing file with absolute path.\n\n### Patches\n\nPatched in release 1.58.2\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [dbdeployer](https://github.com/datacharmer/dbdeployer)",
"id": "GHSA-47wr-426j-fr82",
"modified": "2021-05-21T18:35:39Z",
"published": "2022-02-12T00:14:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/datacharmer/dbdeployer/security/advisories/GHSA-47wr-426j-fr82"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26277"
},
{
"type": "WEB",
"url": "https://github.com/datacharmer/dbdeployer/commit/548e256c1de2f99746e861454e7714ec6bc9bb10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations in dbdeployer"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.