The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
High
PR
The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: Joomla! 4.1.0 Zip Slip File Overwrite / Path Traversal
-------------------------------------------------
Joomla! <= 4.1.0 (Tar.php) Zip Slip Vulnerability
-------------------------------------------------
[-] Software Link:
http://www.joomla.org/
[-] Affected Versions:
Version 4.1.0 and prior versions.
Version 3.10.6 and prior versions.
[-] Vulnerability Description:
The vulnerability is located in the
/libraries/vendor/joomla/archive/src/Tar.php script. Specifically, into
the Joomla\Archive\Tar::extract() method:
113.$this->getTarInfo($this->data);
114.
115.for ($i = 0, $n = \count($this->metadata); $i < $n; $i++)
116.{
117.$type = strtolower($this->metadata[$i]['type']);
118.
119.if ($type == 'file' || $type == 'unix file')
120.{
121.$buffer = $this->metadata[$i]['data'];
122.$path = Path::clean($destination . '/' .
$this->metadata[$i]['name']);
123.
124.// Make sure the destination folder exists
125.if (!Folder::create(\dirname($path)))
126.{
127.throw new \RuntimeException('Unable to create destination
folder ' . \dirname($path));
128.}
129.
130.if (!File::write($path, $buffer))
131.{
132.throw new \RuntimeException('Unable to write entry to file ' .
$path);
133.}
134.}
135.}
The vulnerability exists because the above code is using the filename
within the Tar archive ($path variable created at line 122) to write the
extracted file by using File::write() at line 130, without properly
verifying the destination path. This could be exploited to carry out Zip
Slip (or Path Traversal) attacks and write/overwrite arbitrary files,
potentially resulting in execution of arbitrary PHP code or other
dangerous impacts. In the Joomla! core, successful exploitation of this
vulnerability would require administrator privileges. However, there
could be third-party components using the
Joomla\Archive\Archive::extract() method. In such cases, this might
potentially be exploited also by unauthenticated attackers, depending on
the context.
[-] Solution:
Upgrade to version 3.10.7, 4.1.1, or later.
[-] Disclosure Timeline:
[19/02/2021] - Vendor notified
[21/02/2021] - Vulnerability acknowledged by the vendor
[21/02/2021] - Vendor sent details about a proposed patch
[21/02/2021] - Sent feedback about the patch correctness
[29/03/2022] - Vendor update released
[29/03/2022] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2022-23793 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Other References:
https://developer.joomla.org/security-centre/870-20220301
[-] Original Advisory:
http://karmainsecurity.com/KIS-2022-05
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum