Python Arbitrary File Write Prevention: The Tarbomb

What is a “Tarbomb” attack and how can you protect your python applications?

Image for post
Image for post

What is a Tarbomb?

A tarbomb can actually be a few different things. One common definition is similar to the XML bomb we looked at previously which expands from a small file into a very large object in memory, in this case the tar archive contains many, many files which flood the file system when extracted. However, we’ll actually be looking at an alternative type of tarbomb which can be a bit more malicious rather than just annoying.

Creating a Tarbomb

Creating a tarbomb isn’t very difficult. See the code example below for a simple tool I put together to quickly create tarbombs for testing.

Triggering the Tarbomb

As mentioned earlier, python’s tarfile module is vulnerable to this weakness. To trigger the vulnerability you just need to invoke the extractall method on a malicious tarball.

Protection

I couldn’t find any reliable workarounds for this safe extraction after some light googling, so I made my own drop-in replacement library for tarfile. My solution, tarsafe, actually just subclasses TarFile and adds some safety checks.

Conclusion

I hadn’t planned to write this post — in fact I actually stumbled on this vulnerability a few weeks ago in the wild and thought I had discovered a new vulnerability in tarfile… while I did discover a vulnerability, it unfortunately wasn’t a new one. My hope is that this post will help raise awareness about tarfile and the dangers of handling suspect files without safety checks. Happy coding.

Written by

Founder @OchronaSec | PANW, ex Expanse, ex Tenable | DevSecOps | Automation | All views are my own... and awesome

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store