Directory traversal vulnerability in SevenZipFile.extractall() function of the python library py7zr version 0.20.0 and earlier allow attackers to read and write arbitrary files on the local machine via malicious 7z file extraction.

To exploit CVE-2022-44900 vulnerability an attacker needs to create a malicious 7z archive containing a symlink to achieve an arbitrary file read and a file with a path traversal payload as name to achieve an arbitrary file write.

Exploiting

The script used for tests is the following:

import py7zr
import click

@click.command()
@click.argument("filename")

def main_procedure(filename):
	with py7zr.SevenZipFile(filename, 'r') as archive:
	    archive.extractall()
	
main_procedure()

The vulnerable function targeted is py7zr.SevenZipFile.extractall().

A lab setup has been built to test for vulnerabilities. Directories structured as follow were used:

├── start_point
│   ├── archive.7z
│   └── py7zr_test.py
└── target
    ├── write
    └── read

The start_point directory contains the script used for tests and the malicious archive containing the path traversal payload in the form of the filename of an archived file.

To achieve an arbitrary file write, one of the files in the archives needs to have ../target/write set as name. The content of the file will be written into target/write.

In a similar way, to achieve an arbitrary file read, a symlink pointing to ../target/read needs to be present in the archive. When extracted the symlink will consist of the content of target/read.

Disclosure timeline

29/10/2022 - Maintainer was notified privately of the vulnerabilities
30/10/2022 - Response from maintainer
01/11/2022 - Release of patched version 0.20.1
01/11/2022 - CVE ID request
06/12/2022 - CVE ID obtained
06/12/2022 - Public disclosure