Arbitrary File Overwrite & RCE via Tarfile Path Traversal
A vulnerability in DJL version 0.27.0 allows for arbitrary file overwrite and potential remote code execution via tarfile path traversal. This issue was patched in version 0.28.0.
Available publicly on Sep 30 2024
Threat Overview
The DJL package's untar function attempts to prevent path traversal by checking for relative path traversals but fails to account for absolute path traversals. An attacker can exploit this by creating a tarfile with absolute paths, leading to arbitrary file overwrite and potential remote code execution. This can have severe consequences, including unauthorized SSH access, web server exploitation, and availability impacts.
Attack Scenario
An attacker creates a malicious tarfile containing an absolute path to a sensitive file, such as /root/.ssh/authorized_keys
. When this tarfile is processed by the DJL framework, it overwrites the target file, potentially allowing the attacker to gain unauthorized access or execute arbitrary code on the system.
Who is affected
Users of DJL version 0.27.0 who utilize the untar function to process tarfiles are affected. This includes systems where DJL is used to download and save models or other resources.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.