Microsoft APM Windows Absolute Path Injection Vulnerability in Legacy Bundle Handling

A vulnerability exists in Microsoft APM versions through 0.12.4, specifically on Windows and within Python runtimes 3.10 and 3.11. The issue arises during the legacy-bundle probing of the 'apm install' command, where the application fails to properly handle archive extraction boundaries. When a local .tar.gz file is not recognized as a plugin-format bundle, APM attempts to probe it as a legacy bundle. This probing process extracts untrusted tar members using 'tar.extractall()' without filtering out Windows absolute path names. As a result, a crafted archive can overwrite or create files outside the intended extraction directory, leading to unauthorized file modifications on the host system.

Impact

Exploitation of this vulnerability allows for arbitrary file overwrites on the Windows filesystem, outside of the designated extraction root. This occurs during the 'apm install' command's legacy-bundle probing, before the bundle is officially rejected. The overwritten files can include project-specific files, such as GitHub Actions workflow documents, which are modified with attacker-controlled content.

Reproduction

The vulnerability can be reproduced by creating a malicious .tar.gz file that includes a Windows absolute path member, such as 'D:/apm/run-main-install/outside/legacy-probe-outside-main.txt'. This tarball should be crafted to resemble a legacy APM bundle by including an 'apm.lock.yaml' file at the root. Once the tarball is prepared, it can be uploaded using the 'apm install' command, which will trigger the extraction flaw by writing the specified file outside the temporary extraction directory, before the command finishes processing the bundle and raises an error.

Remediation

Users can update to Microsoft APM version 0.13.0 or later, where this vulnerability has been fixed.