NLTK Path Traversal Vulnerability in Downloader Allows Arbitrary File Overwrite

A path traversal vulnerability has been identified in the NLTK downloader, present in versions through 3.9.3. The issue arises because the downloader does not properly validate the 'subdir' and 'id' attributes when handling remote XML index files. This lack of validation allows attackers to manipulate a remote XML index server to include malicious values with path traversal sequences, leading to unauthorized directory creation, file creation, and overwriting of existing files. The vulnerability has been patched in a commit that adds the necessary validation to prevent such attacks.

Impact

Exploitation of this vulnerability allows for arbitrary file overwriting, with potential to overwrite critical system files such as '/etc/passwd' or '~/.ssh/authorized_keys'.

Reproduction

To reproduce this vulnerability, first install NLTK. Then, set up a malicious server that serves an XML index file containing path traversal sequences in the 'subdir' and 'id' attributes. After that, run a script that uses the NLTK downloader to download a package, which will trigger the vulnerability by overwriting a file specified in the malicious XML.

Remediation

Users should update to the latest version of NLTK, where this vulnerability has been patched.