CVE-2023-40826: The method of extracting the zip file has a path traversal vulnerability · Issue #536 · pf4j/pf4j

description

Dear project developers, I use SpringBoot and pf4j to implement the system’s extension plug-in function, the use of zip or jar package format is very easy to expand the system. When I was using pf4j, I found that the pluginPath value was not verified securely when loading plug-ins. If the developers using pf4j were not security conscious, directly calling the loadPluginFromPath method to receive malicious parameters passed by untrusted users would lead to directory traversal vulnerabilities.

affected version

<= release-3.9.0

vulnerability analysis

The sample code attempts to extract a malicious file (for example: C:\Windows\notepad.exe) to the root path of drive E to simulate a directory traversal attack.

1. Build a malicious ZIP file，Save the resulting ZIP file to E:\Code\0811\malicious.zip。

2, write a test class, call DefaultPluginManager#loadPluginFromPath method to load E:\Code\0811\malicious.zip

First run a test class to prove that the path E:\Windows\notepad.exe does not exist.

3. Debug the code
   Go to DefaultPluginManager#loadPluginFromPath.
   Load the plug-in from disk. If the path is a zip file, unzip it first.

Do some preparatory work in FileUtils

Follow up unzip.extract()

After the execution is complete, extract the target file to the root directory of drive E.