A newly exploitable heap-based buffer over-read vulnerability (CVE-2024-57970) has been recently discovered in libarchive through version 3.7.7. This vulnerability can allow attackers to execute arbitrary code in the target system, potentially leading to various consequences such as data breaches or unauthorized access to sensitive information. In this blog post, we will discuss and investigate the exploit details, provide code snippets, and share original references, to help you understand and remediate this threat.
Vulnerability Details
In libarchive through version 3.7.7, a bug exists that can trigger a heap-based buffer over-read in the header_gnu_longlink function within the archive_read_support_format_tar.c source file. The issue is caused by the improper handling of truncation in the middle of a GNU long linkname when processing TAR archives. Let's dive deeper into the code to see what is happening.
The vulnerability lies in the header_gnu_longlink function of archive_read_support_format_tar.c
static int
header_gnu_longlink(struct archive_read *a, struct tar *tar,
struct archive_entry *entry, size_t parsed_size)
{
// …
hdrcharset = tar->sconv_tar;
ret = header_pax_info(a, tar, entry, hdrcharset, "filename=", 9);
// …
}
The issue occurs during the handling of a null character (\) in the middle of a GNU long linkname, which is not processed correctly. Due to this incorrect behavior, a heap-based buffer over-read can occur.
Exploit Details and References
Attackers able to manipulate crafted TAR archives could exploit this vulnerability to provoke a heap-based buffer over-read. This can potentially lead to information leaks or even arbitrary code execution, depending on the specific use case and the attacker's capabilities. The criticality of this exploit depends on the system's configuration, the nature of the data stored in the system, and how easily an attacker could create and manipulate the necessary TAR archive.
The issue has been acknowledged and is being addressed by the libarchive team. You can find more details and information in the following links:
1. Original Advisory: https://github.com/libarchive/libarchive/issues/1846
2. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57970
3. NVD Page: https://nvd.nist.gov/vuln/detail/CVE-2024-57970
Mitigation and Recommendations
Users are advised to apply patches or update their libarchive installations to version 3.7.8 or later, if available, to mitigate this vulnerability. In the meantime, it is strongly recommended to follow general security best practices:
1. Restrict the use of untrusted TAR archives as much as possible, especially on systems with sensitive or confidential data.
Conclusion
In this blog post, we've delved into the details of the CVE-2024-57970 vulnerability in libarchive through version 3.7.7 and provided code snippets, original references, and exploit information. By understanding this exploit and taking the necessary steps to mitigate the risks, businesses and individuals can help protect their systems and data from potential attacks. Remember to stay vigilant and prioritize the patching of critical vulnerabilities like this one to ensure the ongoing security of your infrastructure.
Timeline
Published on: 02/16/2025 04:15:21 UTC
Last modified on: 02/18/2025 17:15:19 UTC