CVE-2022-37865: Apache Ivy Vulnerability - Unpacking Arbitrary Artifacts on the Local File System

In this post, we will discuss a significant vulnerability (CVE-2022-37865) that affects Apache Ivy versions 2.4. through 2.5.. This vulnerability allows attackers to unpack arbitrary artifacts on the local file system and potentially cause damage by overwriting important files. We will go over the technical details of this flaw, provide an example of a buggy code snippet, and recommend the necessary steps for mitigating this issue. Lastly, we will provide links to the original references for further study.

Technical Details

In Apache Ivy versions 2.4. to 2.5., there is an optional packaging attribute introduced, which allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. When working with artifacts that use the "zip", "jar", or "war" packaging, Ivy does not verify the target path when extracting the archive.

As a result, an archive containing absolute paths or paths trying to traverse "upwards" using ".." sequences can write files to any location on the local file system that the user executing Ivy has write access to.

Code Snippet Example

Here is an example of a vulnerable code snippet in Ivy before version 2.5.1. doUnpack function is called without any checks on the unpackedFile path:

private void doUnpack(File unpackedFile, File packedFile, FileOperationMonitor fom) throws IOException {
    if (unpackedFile.exists()) {
        if (fom != null) {
            fom.progress(, new File[] { unpackedFile, packedFile });
        }
    } else {
        InputStream is = null;
        OutputStream os = null;
        try {
            is = new FileInputStream(packedFile);
            os = new FileOutputStream(unpackedFile);
            copyThroughProgress(is, os, fom, new File[] { unpackedFile, packedFile });
        } finally {
            try {
                if (is != null) {
                    is.close();
                }
            } finally {
                if (os != null) {
                    os.close();
                }
            }
        }
    }
}

Exploit Details

An attacker can create a specially crafted zip, jar, or war file containing absolute paths or paths with ".." to traverse up the directory structure and overwrite critical files on the victim's local file system. This could lead to data loss or system instability.

For instance, an attacker could create a zip file with an entry like the following, which would execute arbitrary code upon extraction:

../../../../../../../../../../var/cron/tabs/root

This path aims to overwrite the root user's crontab file, causing the code inside to be executed with root privileges.

Mitigation and Recommendations

To protect against this vulnerability, users of Apache Ivy versions 2.4. to 2.5. should upgrade to Ivy 2.5.1 or later. The fixed version introduces proper validation of the target path when extracting archive files, preventing malicious archives from writing files to arbitrary locations on the local file system.

For more information on CVE-2022-37865 and the details of this vulnerability, please refer to the following resources:

- Apache Ivy Security Advisory
- CVE-2022-37865 Details

Conclusion

In this post, we explored the CVE-2022-37865 vulnerability affecting Apache Ivy versions 2.4. - 2.5. that could lead to arbitrary artifact unpacking on the local file system. We provided a code snippet example, explained the exploit details, and provided the necessary steps for mitigation. It's essential to keep software up-to-date and follow the recommended security practices to minimize the impact of these vulnerabilities.

Timeline

Published on: 11/07/2022 11:15:00 UTC
Last modified on: 11/08/2022 16:29:00 UTC