CVE CyberSecurity Database News

CVE-2024-0406 - How a Simple Tar File Bug in `mholt/archiver` Could Help Attackers Overwrite Your Files

Poster -

Security isn’t just about writing perfect code—it’s also about checking the code you use. A fresh security problem has popped up in the mholt/archiver package for Go, a popular tool for unpacking and packing archive files (.zip, .tar, etc.). Identified as CVE-2024-0406, this bug is simple but dangerous: with a tricky tar file, attackers could replace, delete, or sneakily add files anywhere on your system, depending on how you use the library.

In this article, we’ll break down what happened, show the code, and explain how an attacker might use this flaw.


## What Is mholt/archiver?

mholt/archiver is a Go library that makes working with archive formats (like zip and tar files) easy. Developers use it in tons of backup, deployment, and file-handling tools because it works well and saves time.

The CVE-2024-0406 Vulnerability Explained

In versions before v3.5.1, the library fails to stop a well-known trick: directory traversal. Directory traversal attacks happen when archive files sneak files outside of the intended target folder by using path tricks like ../. If your code isn't careful, attackers can unpack a tar file and overwrite important files even outside the directory you specify.

How Does It Work?

The problem is that archiver doesn’t properly clean up the paths inside the tarball, so dangerous paths like this work:

../etc/passwd

or

../../home/user/.ssh/authorized_keys

When you extract ("untar") the archive, files may end up outside your chosen directory, overwriting real system files or planting new ones with your application's permissions.

Let’s look at some vulnerable code

package main

import (
    "github.com/mholt/archiver/v3"
)

func main() {
    err := archiver.Unarchive("malicious.tar", "./output")
    if err != nil {
        panic(err)
    }
}

If malicious.tar contains files with sneaky paths like this

../etc/passwd
../../home/victim/.bashrc

when you run this, the real /etc/passwd or /home/victim/.bashrc can get replaced, corrupted, or malicious content can be added.

Craft a tar file with evil file paths:

- The attacker creates evil.tar, with files named like ../../.ssh/authorized_keys or ../../etc/shadow.

Find a victim application:

- The attacker finds any app or tool using mholt/archiver to unpack tar files (for backups, uploads, etc.)—especially web apps or services.

Overwrite or add files:

- The extraction puts the attacker’s files anywhere the process has permissions, which can lead to privilege escalation or denial of service.

Any Unix system can be used for this. Here’s a quick example

mkdir exploit
cd exploit
mkdir -p ../../tmp/hax
echo HACKED > ../../tmp/hax/pawned.txt
tar -cvf evil.tar ../../tmp/hax/pawned.txt

- Now evil.tar will unpack pawned.txt far outside the extraction directory, depending on where Unarchive is called.

Remediation and Fixes

The fix is to sanitize file paths when unpacking. The new version v3.5.1 and up fixes the issue by refusing to extract files containing .. or paths starting with /.

Upgrade immediately:

If you use mholt/archiver, update your package now

go get github.com/mholt/archiver/v3@v3.5.1

Or, in your go.mod, set

require github.com/mholt/archiver/v3 v3.5.1

References and More Reading

- Security Advisory – GHSA-vgcg-857r-mc84
- CVE Entry – CVE-2024-0406
- Patch & Release

Conclusion

Directory traversal bugs remain one of the oldest and easiest tricks in the attacker’s playbook for a reason: they’re easy to overlook. If your Go application unpacks uploads or archives from users, or does any automated restores, double-check your dependencies. Always use the latest versions of libraries, and consider adding your own path filtering if you handle archives directly.

Timeline

Published on: 04/06/2024 17:15:07 UTC
Last modified on: 04/08/2024 18:48:40 UTC