| Title | https://www.enms.io/ eNMS 4.2 REMOTE CODE EXECUTION VIA ZIP SLIP |
|---|
| Description | The vulnerability lies in the Controller.py file, specifically in the import_Services.py file at line 1089. There is an issue where a .tar file is uploaded, and the file name and the names of the files inside the .tar archive are not validated before extraction. As shown in the example code:
with open_tar(filepath) as tar_file:
tar_file.extractall(path=vs.file_path / "services")
This creates a ZIP Slip vulnerability because an attacker can control the file names. For example, by including a file named ../../../../.ssh/authorized_keys inside the .tar archive and modifying its content with their SSH key, the attacker can overwrite sensitive files. This would allow the attacker to gain SSH access to the system.
PRIVATE POC VIDEO:
https://www.youtube.com/watch?v=FJVFtNb4_qA |
|---|
| Source | ⚠️ https://security.snyk.io/research/zip-slip-vulnerability |
|---|
| User | slash0x99 (UID 77812) |
|---|
| Submission | 11/19/2024 11:52 (2 years ago) |
|---|
| Moderation | 11/24/2024 17:32 (5 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 285986 [eNMS up to 4.2 TGZ File eNMS/controller.py multiselect_filtering path traversal] |
|---|
| Points | 0 |
|---|