Exploit for Joomla! 4.1.0 Zip Slip File Overwrite / Path Traversal CVE-2022-23793

Name: Exploit for Joomla! 4.1.0 Zip Slip File Overwrite / Path Traversal CVE-2022-23793
Rating: 5 (202 reviews)
2022-03-30 | CVSS 0.1
## https://sploitus.com/exploit?id=PACKETSTORM:166546
-------------------------------------------------  
Joomla! <= 4.1.0 (Tar.php) Zip Slip Vulnerability  
-------------------------------------------------  
  
  
[-] Software Link:  
  
http://www.joomla.org/  
  
  
[-] Affected Versions:  
  
Version 4.1.0 and prior versions.  
Version 3.10.6 and prior versions.  
  
  
[-] Vulnerability Description:  
  
The vulnerability is located in the   
/libraries/vendor/joomla/archive/src/Tar.php script. Specifically, into   
the Joomla\Archive\Tar::extract() method:  
  
113. $this->getTarInfo($this->data);  
114.  
115. for ($i = 0, $n = \count($this->metadata); $i < $n; $i++)  
116. {  
117. $type = strtolower($this->metadata[$i]['type']);  
118.  
119. if ($type == 'file' || $type == 'unix file')  
120. {  
121. $buffer = $this->metadata[$i]['data'];  
122. $path = Path::clean($destination . '/' .   
$this->metadata[$i]['name']);  
123.  
124. // Make sure the destination folder exists  
125. if (!Folder::create(\dirname($path)))  
126. {  
127. throw new \RuntimeException('Unable to create destination   
folder ' . \dirname($path));  
128. }  
129.  
130. if (!File::write($path, $buffer))  
131. {  
132. throw new \RuntimeException('Unable to write entry to file ' .   
$path);  
133. }  
134. }  
135. }  
  
The vulnerability exists because the above code is using the filename   
within the Tar archive ($path variable created at line 122) to write the   
extracted file by using File::write() at line 130, without properly   
verifying the destination path. This could be exploited to carry out Zip   
Slip (or Path Traversal) attacks and write/overwrite arbitrary files,   
potentially resulting in execution of arbitrary PHP code or other   
dangerous impacts. In the Joomla! core, successful exploitation of this   
vulnerability would require administrator privileges. However, there   
could be third-party components using the   
Joomla\Archive\Archive::extract() method. In such cases, this might   
potentially be exploited also by unauthenticated attackers, depending on   
the context.  
  
  
  
[-] Solution:  
  
Upgrade to version 3.10.7, 4.1.1, or later.  
  
  
[-] Disclosure Timeline:  
  
[19/02/2021] - Vendor notified  
[21/02/2021] - Vulnerability acknowledged by the vendor  
[21/02/2021] - Vendor sent details about a proposed patch  
[21/02/2021] - Sent feedback about the patch correctness  
[29/03/2022] - Vendor update released  
[29/03/2022] - Public disclosure  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2022-23793 to this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano.  
  
  
[-] Other References:  
  
https://developer.joomla.org/security-centre/870-20220301  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2022-05