Partition MSG Library, Path Traversal, Critical

Listen to this Post

The vulnerability resides in the `partition_msg` function when configured with process_attachments=True. This function processes Microsoft Outlook MSG email files and extracts any embedded attachments. The core issue is the absence of sanitization on the attachment filename parameter extracted from the MSG file structure. An attacker can craft a malicious MSG file where the attachment’s filename field contains directory traversal sequences, such as ../../../etc/cron.d/malicious. When the library processes this file, it uses this unsanitized filename directly in filesystem write operations. The function constructs the output path by concatenating the user-provided or default base directory with this malicious filename. Without validation, sequences like `../` are not neutralized, allowing the write operation to escape the intended target directory. Consequently, the file content from the attachment is written to an arbitrary, attacker-chosen location on the server’s filesystem. This primitive grants arbitrary file write capability. The severity escalates because this can overwrite critical system files, application configurations, or scripts. For instance, overwriting a cron job file leads to immediate remote code execution under the privileges of the application processing the MSG file. The vulnerability is triggered during the normal attachment processing workflow, requiring no special exceptions or error conditions to be met, making exploitation reliable.
Platform: MSG Processing Library
Version: Unspecified versions
Vulnerability: Path Traversal
Severity: Critical
date: Not provided

Prediction: Patch TBA

What Undercode Say:

Analytics:

Example command to inspect an MSG file structure for embedded attachment names
python3 -c "import msg_parser; m=msg_parser.MsgParser('malicious.msg'); print(m.attachments)"
Simulated vulnerable code path in partition_msg function
def save_attachment(filename, data, output_dir='./'):
Vulnerable: No sanitization of 'filename'
path = os.path.join(output_dir, filename)
with open(path, 'wb') as f:
f.write(data)

How Exploit:

Craft an MSG file with an attachment named ../../../../home/user/.ssh/authorized_keys. Send this file to a target system using the vulnerable library with process_attachments=True. The library will write the attachment’s content to the specified path, overwriting the SSH authorized_keys file and granting attacker access.

Protection from this CVE:

Set process_attachments=False. Validate filenames using os.path.basename(). Implement allowlisting for safe characters.

Impact:

Arbitrary file overwrite. Remote code execution. Data corruption. Denial of service.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top