A directory traversal vulnerability (CVE-2022-44748) has been discovered in the ZIP archive extraction routines of KNIME Server since version 4.3.. This vulnerability is also referred to as 'Zip-Slip' and can lead to arbitrary files being overwritten on the server's file system. Successful exploitation of this vulnerability can potentially compromise data integrity, cause errors in other software, or ultimately result in remote code execution.

Exploit Details

An attacker can create a KNIME workflow containing a maliciously crafted ZIP file that exploits the directory traversal vulnerability. When the workflow is uploaded to the KNIME Server, it can overwrite arbitrary files on the server, provided that the attacker knows the location of the target files and the operating system user running the KNIME Server process has write access to these files.

The following code snippet demonstrates a simple example of a Zip-Slip exploit

import zipfile

def extract_zip(zip_path, dest_path):
    with zipfile.ZipFile(zip_path, 'r') as zf:
        for entry in zf.infolist():
            entry.filename = entry.filename.replace('..', '') # Remove directory traversal
            zf.extract(entry, dest_path)

if __name__ == "__main__":
    extract_zip("malicious.zip", "/path/to/extract")

In this example, the script extracts a maliciously crafted ZIP file named "malicious.zip" to a specified destination path. Note that the attacker must have knowledge of the location of the target files on the server's file system to successfully exploit the vulnerability.

Software errors: Overwriting vital files can cause other software to fail or malfunction.

3. Remote code execution: Replacing and executing executable files can lead to arbitrary code execution.

It should be noted that users with permissions to upload workflows typically also have permissions to run them on the KNIME Server, which means they can already execute arbitrary code in the context of the KNIME Executor's operating system user.

Mitigation

There is no workaround available to prevent the exploitation of the CVE-2022-44748 vulnerability. Users are advised to update their KNIME Server installations to fixed version 4.13.6, 4.14.3, or 4.15.3.

For more information about the vulnerability and its impact, please refer to the following resources

1. CVE-2022-44748
2. KNIME Security Advisory
3. The Zip-Slip Vulnerability

Conclusion

This post highlighted the CVE-2022-44748 vulnerability in KNIME Server's ZIP archive extraction routines, which can result in arbitrary files being overwritten on a server's file system. This vulnerability poses a significant risk to affected systems, and immediate action should be taken to update affected installations to patched versions.

Timeline

Published on: 11/24/2022 07:15:00 UTC
Last modified on: 11/30/2022 19:38:00 UTC