When extracting archive formats there are many things that can go wrong. While some unarchiving tools and libraries protect from malicious archives that include path traversal attacks, other might not or at least not in the default configuration. We wrote a tool to create such archives with path traversal attacks in Python.
Recently we've come across different web applications and embedded devices that allow archive formats such as zips, tars and cpio archives as user input. Therefore, it is always important to check if they are affected by path traversal attacks. If you don't know what we're talking about you might want to read about the zip slip vulnerability or read our explanations in our Wind River VxWorks tarExtract directory traversal vulnerability (CVE-2023-38346) advisory.
While there have been tools such as slip and traversal-archives, we had some special use cases. Both tools and our new Archive Pwn tool slightly vary in supported archive formats (zip, tar and cpio here), file formats (tar ustar, gnu tar, cpio newc, etc.) and implemented attacks (simple path traversal, symlink attacks, etc.).
We encountered more complicated parsing routines that required us to create custom archives that already include a certain file structure. The analysed code sometimes unpacked a single file from the archive first and an error was thrown if the file was not present. However, the vulnerable code that would allow us to do a path traversal attack was later in the code. Therefore, we created Archive Pwn that packs an entire folder into the archive before adding the attack payload entry.
Most of the ideas came from looking at old vulnerabilities and specifications or the file formats in a hex editor and then implementing attacks such as maximum Windows path length attacks, unicode normalisation, DoS via very deep directories, including a path traversal in the filename included in .gz files, etc.
Creating a tool that generates as many combinations of attacks as possible was as well important, so the output of the tool can serve as a test collection for unarchiving tools. You can unpack all archives the tool creates and check if you can find a file in a different directory than the unpacking location.
We've also decided to make sure that we copy the tar and zip libraries from Python and slightly modify them, allowing us to implement further non-standard conform attacks in the future. There's an example in the README on the Archive Pwn Github page on how to create your own malicious archives.
The tool release is related to the recent advisories we released for Busybox cpio directory traversal vulnerability (CVE-2023-39810) and Wind River VxWorks tarExtract directory traversal vulnerability (CVE-2023-38346), where especially the VxWorks blog post deep-dives into some of the archive vulnerabilities.