CVE CyberSecurity Database News

CVE-2022-40976: Exploring the Path Traversal Vulnerability Found in Pilz Products

Poster -

A recent path traversal vulnerability (CVE-2022-40976) was discovered in multiple Pilz products, a leading automation technology company. Path traversal vulnerabilities can allow malicious actors to access sensitive system files or overwrite files, potentially leading to severe consequences. In this particular vulnerability, an unauthenticated local attacker could use a zipped, malicious configuration file to trigger arbitrary file writes, commonly known as 'zip-slip.' In this post, we will explore the code snippets, links to original references, and exploit details related to this vulnerability.

Details of the Vulnerability

A path traversal is a type of vulnerability that allows a malicious actor to access files, directories, or execute commands outside of the context of a web application. It occurs when a web application is not properly validating or sanitizing user-supplied input containing file and directory paths, thus enabling unauthorized access to systems resources.

The CVE-2022-40976 vulnerability in Pilz products is associated with such a path traversal attack. This flaw can be exploited by an unauthenticated local attacker. They can upload a zipped, malicious configuration file, potentially allowing the attacker to write arbitrary files on the target system.

PASvisu

Reference to the official security advisory can be found here.

Exploit Details

The vulnerability arises due to improper validation of file paths within the zipped configuration files. A malicious attacker with physical access to the target system can craft a malicious zip file containing "../" in the file paths. When the zipped configuration file is uploaded and extracted, it can result in the arbitrary file write on the target system. Below is an example of a zip-slip attack:

import zipfile
from pathlib import Path

def extract_zip(zip_file, destination):
    with zipfile.ZipFile(zip_file, "r") as zf:
        for member in zf.infolist():
            output_path = Path(destination) / member.filename

            # Check for path traversal vulnerability
            if ".." in output_path.parts:
                raise Exception("Path traversal detected")

            zf.extract(member, destination)

# Usage example:
extract_zip("malicious.zip", "/tmp/extracted")

In the above code snippet, the function extract_zip properly checks for path traversal vulnerability by detecting "../" in the extracted file paths and raising an exception if found.

Ensure proper access controls and use of secure communication channels.

It is highly recommended to apply these mitigations to protect your systems and the data they contain. Ensure that your software security updates are performed regularly and follow the vendor's best practices for system configurations.

Conclusion

Path traversal vulnerabilities like CVE-2022-40976 can pose a significant risk to organizations and their systems. Regularly updating software, implementing proper access controls, and maintaining secure communication channels are critical steps to minimize the chances of an attacker successfully exploiting such vulnerabilities. By understanding the code snippets and exploit details related to this vulnerability, security professionals can better protect their systems and safeguard sensitive data.

Timeline

Published on: 11/24/2022 10:15:00 UTC