| 제목 | https://www.enms.io/ eNMS 4.2 REMOTE CODE EXECUTION |
|---|
| 설명 | The vulnerability lies in the Controller.py file, specifically in the import_Services.py file at line 1089. There is an issue where a .tar file is uploaded, and the file name and the names of the files inside the .tar archive are not validated before extraction. As shown in the example code:
with open_tar(filepath) as tar_file:
tar_file.extractall(path=vs.file_path / "services")
This creates a ZIP Slip vulnerability because an attacker can control the file names. For example, by including a file named ../../../../.ssh/authorized_keys inside the .tar archive and modifying its content with their SSH key, the attacker can overwrite sensitive files. This would allow the attacker to gain SSH access to the system.
PRIVATE POC VIDEO:
https://www.youtube.com/watch?v=FJVFtNb4_qA |
|---|
| 원천 | ⚠️ https://security.snyk.io/research/zip-slip-vulnerability |
|---|
| 사용자 | slash0x99 (UID 77812) |
|---|
| 제출 | 2024. 11. 19. AM 11:51 (2 연령 ago) |
|---|
| 모더레이션 | 2024. 11. 24. PM 05:31 (5 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 285986 [eNMS 까지 4.2 TGZ File eNMS/controller.py multiselect_filtering 디렉토리 순회] |
|---|
| 포인트들 | 20 |
|---|