BentoML Arbitrary File Write Vulnerability via Symlink Path Traversal in Tar Extraction

A vulnerability in BentoML's tar file extraction process allows for arbitrary file writes on the host filesystem. This issue arises in versions of BentoML prior to 1.4.36, where the 'safe_extract_tarfile()' function fails to properly validate symlink targets during extraction. An attacker can exploit this by creating a malicious tar file with a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink.

Impact

Exploitation of this vulnerability allows for arbitrary file writes on the host system. In the context of BentoML, this could lead to overwriting critical files such as the user's bashrc, SSH authorized keys, or Python site-packages, with potential for remote code execution.

Reproduction

The vulnerability can be reproduced by creating a tar file that includes a symlink pointing to a location outside the extraction directory, along with a file that writes through the symlink. When this tar file is extracted using the vulnerable 'safe_extract_tarfile()' function, the file is written to the target location, bypassing directory restrictions.

Remediation

Users can update to BentoML version 1.4.36 or later, where this vulnerability has been fixed. Alternatively, symlink targets can be manually validated before extraction.