SharpCompress Path Traversal Vulnerability in IArchive.WriteToDirectory() Allows Arbitrary File Writes

A path traversal vulnerability has been identified in SharpCompress versions through 0.47.4. The issue arises in the IArchive.WriteToDirectory() method, where a malicious archive can create directories outside the intended extraction root. This vulnerability, present in both ZIP and TAR archives, can be exploited by chaining with a symlink entry in TAR archives, leading to arbitrary file writes on the target filesystem, depending on the permissions of the running process.

Impact

Exploitation of this vulnerability allows for path traversal, creating directories outside the intended extraction root. In TAR archives, this can be escalated to arbitrary file writes by chaining with a symlink entry, bypassing normal extraction safeguards and writing files to locations outside the extraction directory.

Reproduction

The vulnerability can be reproduced by creating a ZIP or TAR archive that includes directory entries designed to traverse the file system, such as relative paths that escape the extraction root. This can be done using a .NET console application that crafts such an archive and then extracts it using SharpCompress, demonstrating the directory traversal and, in the case of TAR, the escalation to arbitrary file writes via a symlink entry.

Remediation

Users are advised to update to the latest version of SharpCompress, where this vulnerability has been addressed. For those who cannot update, it is recommended to avoid using the WriteToDirectory() method on untrusted archives.