A recently discovered security vulnerability (CVE-2022-42125) exposes Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 to a Zip Slip attack. This high-risk vulnerability can lead to the creation or overwriting of existing files on the filesystem when an attacker deploys a malicious plugin or module. In this post, we will discuss the details of this vulnerability, provide a code snippet demonstrating the flaw, and offer mitigation strategies.
Description
The vulnerability, CVE-2022-42125, affects the FileUtil.unzip method in Liferay Portal and Liferay DXP. Zip Slip is a critical archive extraction vulnerability that allows an attacker to overwrite arbitrary files on the system, potentially leading to remote code execution or other security breaches.
The flaw occurs because the affected software does not properly validate and sanitize the filenames within a compressed archive before extracting them. As a result, an attacker can craft a malicious plugin or module containing a specially designed ZIP file with directory traversal filenames (e.g., ../../file-to-overwrite) that can overwrite existing files on the target system when processed by FileUtil.unzip.
Here is a simple code snippet demonstrating the vulnerability in the FileUtil.unzip method
public static void unzip(File source, File destination)
throws IOException {
try (ZipInputStream zis = new ZipInputStream(new FileInputStream(source))) {
ZipEntry zipEntry;
while ((zipEntry = zis.getNextEntry()) != null) {
File targetFile = new File(destination, zipEntry.getName());
if (zipEntry.isDirectory()) {
targetFile.mkdirs();
} else {
targetFile.getParentFile().mkdirs();
try (FileOutputStream fos = new FileOutputStream(targetFile)) {
IOUtils.copy(zis, fos);
}
}
zis.closeEntry();
}
}
}
As seen in the code above, the FileUtil.unzip method processes each entry inside a ZIP file without validating and sanitizing the filenames. This allows an attacker to create a ZIP file containing directory traversal patterns that can lead to arbitrary file write or overwrite on the target system.
Exploit Details
An attacker can exploit this vulnerability by creating a malicious plugin or module containing a specially crafted ZIP file with arbitrary file paths, which include directory traversal patterns. When deployed on a vulnerable Liferay Portal or Liferay DXP instance, the malicious plugin/module can create or overwrite files on the target system, leading to potential Remote Code Execution (RCE) or unauthorized access to sensitive information.
To create a proof-of-concept exploit, an attacker could use a directory traversal pattern (e.g., ../../file-to-overwrite) inside a malicious ZIP file:
$ echo "Evil content" > ../../file-to-overwrite
$ zip malicious-plugin.zip ../../file-to-overwrite
By deploying the malicious-plugin.zip file on a vulnerable Liferay instance, an attacker could potentially overwrite existing files or create new ones, leading to system compromise or unauthorized access to sensitive data.
References
The original references regarding the CVE-2022-42125 vulnerability and its impact on Liferay Portal and Liferay DXP can be found at the following links:
1. CVE-2022-42125 - NIST National Vulnerability Database (NVD)
2. Liferay Security Advisory - Multiple Vulnerabilities in Liferay Portal and Liferay DXP (ZIP Slip)
Mitigation
Users of affected versions of Liferay Portal and Liferay DXP are advised to upgrade their installations to the latest patches or fixed releases, as per the information provided in the Liferay Security Advisory. In addition, Liferay administrators should ensure that only trusted plugins and modules from verified sources are deployed on their systems.
In conclusion, the CVE-2022-42125 vulnerability is a significant security issue that affects various versions of Liferay Portal and Liferay DXP. By understanding the flaw and applying appropriate mitigations, administrators can help protect their systems against potentially damaging attacks that exploit this vulnerability.
Timeline
Published on: 11/15/2022 01:15:00 UTC
Last modified on: 11/18/2022 16:51:00 UTC