CVE-2024-10389
📋 TL;DR
This path traversal vulnerability in Safearchive allows attackers to write arbitrary files during archive extraction by exploiting symbolic links on case-insensitive filesystems like NTFS. It affects systems using Safearchive to process untrusted archives, potentially leading to file system compromise.
💻 Affected Systems
- Safearchive
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary file write leading to remote code execution, data destruction, or privilege escalation.
Likely Case
Arbitrary file overwrite or creation in accessible directories, potentially leading to web shell deployment, configuration modification, or data corruption.
If Mitigated
Limited impact if archives are from trusted sources only and extraction occurs in isolated environments with restricted permissions.
🎯 Exploit Status
Exploitation requires creating a malicious archive with symbolic links that leverage case-insensitive path traversal.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit f7ce9d7b6f9c6ecd72d0b0f16216b046e55e44dc or later
Vendor Advisory: https://github.com/google/safearchive/commit/f7ce9d7b6f9c6ecd72d0b0f16216b046e55e44dc
Restart Required: No
Instructions:
1. Update Safearchive to commit f7ce9d7b6f9c6ecd72d0b0f16216b046e55e44dc or later. 2. Rebuild any applications using Safearchive. 3. Test archive extraction functionality.
🔧 Temporary Workarounds
Restrict archive sources
allOnly process archives from trusted, verified sources to prevent malicious archive uploads.
Use case-sensitive filesystems
linuxDeploy on case-sensitive filesystems (ext4, XFS with case-sensitive settings) where vulnerability does not apply.
🧯 If You Can't Patch
- Implement strict input validation for archive files and reject archives containing symbolic links.
- Run archive extraction in isolated containers or sandboxes with restricted file system access.
🔍 How to Verify
Check if Vulnerable:
Check Safearchive version/commit hash; if before f7ce9d7b6f9c6ecd72d0b0f16216b046e55e44dc and running on case-insensitive filesystem, likely vulnerable.Check Version:
Check git commit hash or version in Safearchive source/build configuration.Verify Fix Applied:
Verify Safearchive is at commit f7ce9d7b6f9c6ecd72d0b0f16216b046e55e44dc or later, and test extraction with archives containing symbolic links.📡 Detection & Monitoring
Log Indicators:
- Unusual archive extraction patterns, multiple failed extraction attempts, unexpected file writes during extraction
Network Indicators:
- Large or suspicious archive uploads to systems using Safearchive
SIEM Query:
Search for archive extraction events followed by file creation/modification outside expected directories.