FreeBSD: VID-38FDF07B-E8EC-11EA-8BBE-E0D55E2A8BF9 (CVE-2020-24654): ark -- extraction outside of extraction directory
Description
Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.
From VID-38FDF07B-E8EC-11EA-8BBE-E0D55E2A8BF9:
Albert Astals Cid reports:
Overview
A maliciously crafted TAR archive containing symlink entries
would install files anywhere in the user's home directory upon extraction.
Proof of concept
For testing, an example of malicious archive can be found at
dirsymlink.tar
Impact
Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart.
Workaround
Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain symlink entries pointing outside the extraction folder.
The 'Extract' context menu from the Dolphin file manager shouldn't be used.
Solution
Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives.
Alternatively, 8bf8c5ef07b0ac5e914d752681e470dea403a5bd can be applied to previous releases.
Credits
Thanks to Fabian Vogt for reporting this issue and for fixing it.
Solution(s)
- freebsd-upgrade-package-ark
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center