CVE-2021-32840
Arbitrary File Write vulnerability in SharpZipLib (NuGet)
What is CVE-2021-32840 About?
This vulnerability in SharpZipLib allows for arbitrary file write due to a directory traversal issue when extracting TAR files. Attackers can write files to arbitrary locations, potentially leading to remote code execution. Exploitation is of medium difficulty, requiring a malicious TAR file and a vulnerable version of the library.
Affected Software
Technical Details
The vulnerability exists in SharpZipLib's handling of TAR file entries. Specifically, when processing a TAR archive, certain entry names like ../evil.txt are not properly sanitized or validated against directory traversal attempts. This allows an attacker to specify a path within the TAR file that escapes the intended extraction directory (destFolder). For example, by including ../evil.txt in the archive, the file evil.txt can be written to the parent directory of destFolder. This effectively bypasses directory confinement mechanisms, leading to arbitrary file placement on the file system.
What is the Impact of CVE-2021-32840?
Successful exploitation may allow attackers to write arbitrary files to critical locations on the file system. This could lead to unauthorized modification of application configuration, installation of malicious scripts, or, in the worst case, arbitrary code execution by overwriting executable files or configuration files that trigger code.
What is the Exploitability of CVE-2021-32840?
Exploitation of this arbitrary file write vulnerability is of medium complexity, as it requires a specially crafted TAR file containing directory traversal sequences. There are no specific authentication requirements, as the vulnerability is triggered by the library's processing of archive data. Privilege requirements are limited to those of the application or user account executing the SharpZipLib extraction. This is a remote exploitation scenario, where an attacker crafts and delivers a malicious TAR file to a vulnerable system. The main condition is that the application uses a vulnerable version of SharpZipLib to extract untrusted TAR archives. The ability to write files to arbitrary locations significantly increases the likelihood of severe consequences, including remote code execution if sensitive system files can be targeted.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-32840?
About the Fix from Resolved Security
The patch addresses CVE-2021-32840 by ensuring extracted paths are contained within the intended destination directory, preventing directory traversal attacks. It does this by resolving the full path of the destination file’s directory and verifying that it starts with the destination directory, instead of just checking the file path itself, which could be bypassed with certain path manipulations.
Available Upgrade Options
- SharpZipLib
- <1.3.3 → Upgrade to 1.3.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/icsharpcode/SharpZipLib/commit/a0e96de70b5264f4c919b09253b1522bc7a221cc
- https://github.com/icsharpcode/SharpZipLib
- https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib/
- https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.3
- https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib
- https://github.com/icsharpcode/SharpZipLib/commit/a0e96de70b5264f4c919b09253b1522bc7a221cc
- https://nvd.nist.gov/vuln/detail/CVE-2021-32840
- https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.3
- https://osv.dev/vulnerability/GHSA-m22m-h4rf-pwq3
What are Similar Vulnerabilities to CVE-2021-32840?
Similar Vulnerabilities: CVE-2001-0968 , CVE-2007-4560 , CVE-2019-10023 , CVE-2019-1000004 , CVE-2018-1000096
