Executive Summary

This vulnerability exists in the SharpCompress library, a C# library used for handling various compression formats. In versions 0.47.4 and earlier, there is a path traversal flaw in the IArchive.WriteToDirectory() function. This flaw allows a maliciously crafted archive to create directories outside the intended extraction folder.

For TAR archives specifically, this vulnerability can be exploited further by chaining it with a symbolic link entry, enabling arbitrary file writes on the target filesystem. The ability to write files depends on the permissions of the process running the extraction.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized file creation or modification outside the intended extraction directory. An attacker could potentially overwrite critical system or application files if the process has sufficient permissions.

Such unauthorized writes could compromise system integrity, lead to privilege escalation, or enable further attacks by placing malicious files on the system.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in SharpCompress allows malicious archives to create directories outside the intended extraction root and, in some cases, write arbitrary files on the filesystem. This can lead to unauthorized modification or creation of files, which may compromise data integrity and security.

Such unauthorized file writes and potential privilege escalations could result in violations of data protection standards and regulations like GDPR and HIPAA, which require strict controls over data access, integrity, and confidentiality.

Organizations using affected versions of SharpCompress without proper mitigation may risk non-compliance due to the possibility of attackers manipulating or injecting files, potentially exposing sensitive personal or health information.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying usage of the SharpCompress library version 0.47.4 or earlier, specifically where the WriteToDirectory() method is called on untrusted archives.

Since the vulnerability allows path traversal and arbitrary file writes via crafted archives, detection can include monitoring for unusual directory creation outside expected extraction roots or unexpected file writes after archive extraction.

There is no direct command provided to detect exploitation, but you can check for suspicious extraction activity by monitoring filesystem changes or scanning for archives containing path traversal patterns like "../" or absolute paths.

• Use file integrity monitoring tools to detect unexpected file creations or modifications outside normal directories.
• Manually inspect archives before extraction for entries with relative path traversal sequences (e.g., ../../evil) or absolute paths.
• If you have access to the system logs or application logs, look for errors or warnings related to archive extraction or unexpected directory creation.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the SharpCompress library to a version later than 0.47.4 where the vulnerability is fixed.

If upgrading is not immediately possible, avoid extracting untrusted TAR or ZIP archives using the WriteToDirectory() method.

Ensure that any symbolic link handlers used during TAR extraction validate the link targets to prevent arbitrary file writes.

Apply path validation logic to normalize and check paths before extraction, ensuring no files or directories are created outside the intended extraction root.

Restrict permissions of the process performing extraction to limit the impact of potential exploitation.

Useful 0 Not Useful 0