gdown Path Traversal Vulnerability in extractall Functionality Allowing Arbitrary File Overwrite and Remote Code Execution

A path traversal vulnerability has been identified in the gdown library, specifically in versions prior to 5.2.2. The issue arises within the extractall function, where the library fails to properly sanitize or validate filenames when extracting ZIP or TAR archives. This oversight allows maliciously crafted archives to write files outside the intended directory, potentially overwriting critical files and leading to remote code execution. The vulnerability exists in gdown/extractall.py, where the extractall function calls the extraction methods of Python's tarfile or zipfile modules without validating the archive members' paths.

Impact

Exploitation of this vulnerability allows for arbitrary file overwriting, with the potential to overwrite important files such as .bashrc or .ssh/authorized_keys. Additionally, according to GitHub, this vulnerability could be exploited for remote code execution by overwriting executable scripts or Python modules in a virtual environment.

Reproduction

To reproduce this vulnerability, create a TAR file that includes a member with a path traversal payload, such as '../escape.txt'. Then, use gdown's extractall function to extract the archive into a directory that the payload can escape from, such as a subfolder within a 'safe_target' directory. After extraction, the traversed file will appear in the parent directory, indicating successful exploitation.

Remediation

Users can update to gdown version 5.2.2 or later, where this vulnerability has been fixed. Instructions for downloading the latest version are available on the gdown GitHub releases page.