[jira] [Commented] (MESOS-9610) Fetcher vulnerability - escaping from sandbox
[ https://issues.apache.org/jira/browse/MESOS-9610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16787285#comment-16787285 ] Gilbert Song commented on MESOS-9610: - Probably we could create a separate JIRA to follow up on *ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS*? cc [~mderela] [~kaysoky] > Fetcher vulnerability - escaping from sandbox > - > > Key: MESOS-9610 > URL: https://issues.apache.org/jira/browse/MESOS-9610 > Project: Mesos > Issue Type: Bug > Components: fetcher >Affects Versions: 1.7.2 >Reporter: Mariusz Derela >Assignee: Joseph Wu >Priority: Blocker > Labels: bug, foundations, security-issue, vulnerabilities > Fix For: 1.8.0, 1.7.3 > > > I have noticed that there is a possibility to exploit fetcher and overwrite > any file on the agent host. > scenario to reproduce: > 1) prepare a file with any content and name a file like "../../../etc/test" > and archive it. We can use python and zipfile module to achieve that: > {code:java} > >>> import zipfile > >>> zip = zipfile.ZipFile("exploit.zip", "w") > >>> zip.writestr("../../../../../../../../../../../../etc/mariusz_was_here.txt", > >>> "some content") > >>> zip.close() > {code} > 2) prepare a service that will use our artifact (exploit.zip) > 3) run service > at the end in /etc we will get our file. As you can imagine there is a lot > possibility how we can use it. > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MESOS-9610) Fetcher vulnerability - escaping from sandbox
[ https://issues.apache.org/jira/browse/MESOS-9610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16785718#comment-16785718 ] Mariusz Derela commented on MESOS-9610: --- in the interface of libarchive there is a flag ARCHIVE_EXTRACT_SECURE_NODOTDOT - with using it there is a possibility to filter out such things. > Fetcher vulnerability - escaping from sandbox > - > > Key: MESOS-9610 > URL: https://issues.apache.org/jira/browse/MESOS-9610 > Project: Mesos > Issue Type: Bug > Components: fetcher >Affects Versions: 1.7.2 >Reporter: Mariusz Derela >Assignee: Joseph Wu >Priority: Blocker > Labels: bug, foundations, security-issue, vulnerabilities > > I have noticed that there is a possibility to exploit fetcher and overwrite > any file on the agent host. > scenario to reproduce: > 1) prepare a file with any content and name a file like "../../../etc/test" > and archive it. We can use python and zipfile module to achieve that: > {code:java} > >>> import zipfile > >>> zip = zipfile.ZipFile("exploit.zip", "w") > >>> zip.writestr("../../../../../../../../../../../../etc/mariusz_was_here.txt", > >>> "some content") > >>> zip.close() > {code} > 2) prepare a service that will use our artifact (exploit.zip) > 3) run service > at the end in /etc we will get our file. As you can imagine there is a lot > possibility how we can use it. > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MESOS-9610) Fetcher vulnerability - escaping from sandbox
[ https://issues.apache.org/jira/browse/MESOS-9610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16779365#comment-16779365 ] Mariusz Derela commented on MESOS-9610: --- I have checked the newest version of libarchive. It seems that issue is still there. > Fetcher vulnerability - escaping from sandbox > - > > Key: MESOS-9610 > URL: https://issues.apache.org/jira/browse/MESOS-9610 > Project: Mesos > Issue Type: Bug > Components: fetcher >Affects Versions: 1.7.2 >Reporter: Mariusz Derela >Priority: Blocker > Labels: bug, security-issue, vulnerabilities > > I have noticed that there is a possibility to exploit fetcher and overwrite > any file on the agent host. > scenario to reproduce: > 1) prepare a file with any content and name a file like "../../../etc/test" > and archive it. We can use python and zipfile module to achieve that: > {code:java} > >>> import zipfile > >>> zip = zipfile.ZipFile("exploit.zip", "w") > >>> zip.writestr("../../../../../../../../../../../../etc/mariusz_was_here.txt", > >>> "some content") > >>> zip.close() > {code} > 2) prepare a service that will use our artifact (exploit.zip) > 3) run service > at the end in /etc we will get our file. As you can imagine there is a lot > possibility how we can use it. > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MESOS-9610) Fetcher vulnerability - escaping from sandbox
[ https://issues.apache.org/jira/browse/MESOS-9610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16778613#comment-16778613 ] Joseph Wu commented on MESOS-9610: -- This is related to the introduction of libarchive in 1.7.0. The code which creates files/directories does not sanitize paths for extraneous ".."s: https://github.com/apache/mesos/blob/4a2dbe25c7377636fe3a9d9c8576297a6db561cd/3rdparty/stout/include/stout/archiver.hpp#L128-L130 > Fetcher vulnerability - escaping from sandbox > - > > Key: MESOS-9610 > URL: https://issues.apache.org/jira/browse/MESOS-9610 > Project: Mesos > Issue Type: Bug > Components: fetcher >Affects Versions: 1.7.2 >Reporter: Mariusz Derela >Priority: Blocker > Labels: bug, security-issue, vulnerabilities > > I have noticed that there is a possibility to exploit fetcher and overwrite > any file on the agent host. > scenario to reproduce: > 1) prepare a file with any content and name a file like "../../../etc/test" > and archive it. We can use python and zipfile module to achieve that: > {code:java} > >>> import zipfile > >>> zip = zipfile.ZipFile("exploit.zip", "w") > >>> zip.writestr("../../../../../../../../../../../../etc/mariusz_was_here.txt", > >>> "some content") > >>> zip.close() > {code} > 2) prepare a service that will use our artifact (exploit.zip) > 3) run service > at the end in /etc we will get our file. As you can imagine there is a lot > possibility how we can use it. > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)