Closed 0xs1ash closed 1 day ago
afourmy
commented
1 day ago I modified it a bit before merging it, can you see if it is still working (I removed the part where we check that base_path == target_path, I don't think these paths should never be the same), and fixed the indentation (app couldn't load)
0xs1ash
commented
16 hours ago The update works perfectly, thank you. Please release the patch as a new version so that there is no confusion for those using the previous version, as this is version 4.2, and it is also labeled 4.2 here on GitHub. At first glance, people will think it is up-to-date. Please upgrade this to version 4.3 so it is recognized as the latest version. Thank you in advance, and I hope it won’t be an issue for you if I share this vulnerability on my blog since it has already been fixed.
Summary I had previously informed you about the RCE in your admin panel, and you mentioned that it was a feature. I decided to dig deeper into the system and discovered a very critical vulnerability. I found an Arbitrary File Write vulnerability in the system, which leads to remote code execution.
Details This is a vulnerability code section: controller.py:
def import_services(self, **kwargs): file = kwargs["file"] filepath = vs.file_path / "services" / file.filename (vs.file_path / "services").mkdir(parents=True, exist_ok=True) file.save(str(filepath)) with open_tar(filepath) as tar_file: tar_file.extractall(path=vs.file_path / "services") folder_name = tar_file.getmembers()[0].name status = self.migration_import( folder="services", name=folder_name, import_export_types=["service", "workflow_edge"], service_import=True, skip_pool_update=True, skip_model_update=True, ) rmtree(vs.file_path / "services" / folder_name, ignore_errors=True) if "Error during import" in status: raise Exception(status) return status There is a serious vulnerability in the code I mentioned above. The import_services function introduces a critical issue when attempting to import a tgz file. Specifically, the function uses open_tar to open the file and then extractall to extract its contents. However, the problem arises because the names of the files extracted from the tgz file are not being validated. This leads to a ZIP Slip vulnerability.
In other words, if we name a file within the tgz archive as ../../../../.ssh/authorized_keys and include an attacker’s SSH key as the content of this file, when the tgz file is imported and extracted, the system does not validate the file names. As a result, the data we provided will be written to the user's .ssh/authorized_keys file on the system. This allows us to connect to the system via SSH remotely and gain control over it.
PoC I have written a code that automates the entire process and eventually provides an SSH shell. You can watch the video below to analyze it. I will share the exploit's source code in the link below.
Poc Video: https://youtu.be/9vdSzQp_-iM Exploit Source code: https://mega.nz/folder/ZhIiDQaI#TUJCRV-XN41L-WEVAu0sWg
Impact This vulnerability allows remote attackers to execute arbitrary system commands, potentially leading to full system compromise and unauthorized access..