| عنوان | https://www.enms.io/ eNMS 4.2 REMOTE CODE EXECUTION |
|---|
| الوصف | The vulnerability lies in the Controller.py file, specifically in the import_Services.py file at line 1089. There is an issue where a .tar file is uploaded, and the file name and the names of the files inside the .tar archive are not validated before extraction. As shown in the example code:
with open_tar(filepath) as tar_file:
tar_file.extractall(path=vs.file_path / "services")
This creates a ZIP Slip vulnerability because an attacker can control the file names. For example, by including a file named ../../../../.ssh/authorized_keys inside the .tar archive and modifying its content with their SSH key, the attacker can overwrite sensitive files. This would allow the attacker to gain SSH access to the system.
PRIVATE POC VIDEO:
https://www.youtube.com/watch?v=FJVFtNb4_qA |
|---|
| المصدر | ⚠️ https://security.snyk.io/research/zip-slip-vulnerability |
|---|
| المستخدم | slash0x99 (UID 77812) |
|---|
| ارسال | 19/11/2024 11:51 AM (2 سنوات منذ) |
|---|
| الاعتدال | 24/11/2024 05:31 PM (5 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 285986 [eNMS حتى 4.2 TGZ File eNMS/controller.py multiselect_filtering اجتياز الدليل] |
|---|
| النقاط | 20 |
|---|