Summary
Deepin-Compressor is the default archive manager of Deepin Linux OS. There's a path traversal vulnerability in deepin-compressor that can be exploited to achieve Remote Command Execution on the target system upon opening crafted archives.
Details
While decompressing/extracting zip archives, deepin-compressor is not validating the file names. By adding one or more "../" as prefixes to the filenames will lead to path traversal. This leads to arbitrary file write and RCE.
PoC
Steps to create such zip archive:
- Create a file for traversal
echo "TEST" > XXYXXYXXYtmpYpoc.txt
- Make a normal zip archive
zip poc.zip XXYXXYXXYtmpYpoc.txt
- Craft malicious archive
sed -i s/"XXY"/"..\/"/g poc.zip
sed -i s/"tmpY"/"tmp\/"/g poc.zip
By following the above steps, you can create a malicious zip archive, upon extracting that archive, a file named poc.txt will e created under /tmp directory
Impact
Remote Command Execution: By exploiting the vulnerability an attacker can place malicious desktop entries under ~/.config/autostart to achieve RCE on the target.
febinrev Reporter
Summary
Deepin-Compressor is the default archive manager of Deepin Linux OS. There's a path traversal vulnerability in deepin-compressor that can be exploited to achieve Remote Command Execution on the target system upon opening crafted archives.
Details
While decompressing/extracting zip archives, deepin-compressor is not validating the file names. By adding one or more "../" as prefixes to the filenames will lead to path traversal. This leads to arbitrary file write and RCE.
PoC
Steps to create such zip archive:
By following the above steps, you can create a malicious zip archive, upon extracting that archive, a file named poc.txt will e created under /tmp directory
Impact
Remote Command Execution: By exploiting the vulnerability an attacker can place malicious desktop entries under ~/.config/autostart to achieve RCE on the target.