Summary

The API endpoint http://<Zima_Server_IP:PORT>/v2_1/file in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on the server. By manipulating the path parameter, attackers can access sensitive system directories such as /etc, potentially exposing critical configuration files and increasing the risk of further attacks.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

1. Authenticate to ZimaOS and obtain a valid session token.
2. Use the following request to manipulate the path parameter and list the contents of the /etc directory:
   GET http://<Zima_Server_IP:PORT>/v2_1/file?path=%2Fetc&index=0&size=10000&sfz=true&sort=name&direction=asc
   Response:

{
    "files": [
        {"name": "passwd", "type": "file"},
        {"name": "shadow", "type": "file"},
        {"name": "hostname", "type": "file"},
        {"name": "hosts", "type": "file"},
        {"name": "network", "type": "directory"},
        ...
    ]
}

This response reveals the contents of the /etc directory, exposing system configuration files such as /etc/passwd, /etc/shadow, and more.

YouTube Video PoC

Unlisted YouTube PoC Link

Impact

• Sensitive Information Disclosure: Attackers can view the contents of system directories, exposing files like /etc/passwd, which can lead to further attacks, including privilege escalation or unauthorized access.
• Preparation for Other Attacks: Knowing which files and directories exist on the system enables attackers to target specific files for unauthorized access or file inclusion attacks.
• Increased Risk of Privilege Escalation: Access to files like /etc/shadow could lead to password cracking, allowing attackers to escalate privileges.

Recommendation

1. Input Validation: Restrict the path parameter to only allow access to predefined directories that are safe for users to interact with. Disallow the listing of critical system directories like /etc.

2. Whitelist Allowed Directories: Implement a whitelist of directories that users are allowed to access, ensuring that any requests outside these directories are rejected.

3. Example of restricting file access to specific directories:

import os

def secure_directory_access(requested_path):
    allowed_directories = ["/var/user_files", "/home/user"]
    base_directory = os.path.realpath("/var")

    full_path = os.path.realpath(os.path.join(base_directory, requested_path))
   
    if not any(full_path.startswith(allowed) for allowed in allowed_directories):
        return "Access Denied", 403
   
    # Proceed with listing files in the directory
    return list_files(full_path)

4. Access Control: Implement fine-grained access control to ensure that only authorized users can access certain directories. Limit file listings to user-specific or application-specific directories.

5. Logging and Monitoring: Log attempts to access sensitive directories and generate alerts for suspicious activity. Regular monitoring can help detect and respond to unauthorized access attempts in a timely manner.

Possible Fix Code:

Here’s an example code snippet that restricts directory listing to only safe, predefined directories:

import os

def list_files_in_secure_directory(path):
    base_directory = "/var/safe_directories/"
   
    # Get the real path to avoid directory traversal
    requested_path = os.path.realpath(os.path.join(base_directory, path))
   
    # Ensure the path is within the allowed base directory
    if not requested_path.startswith(base_directory):
        return "Access Denied", 403
   
    # Proceed with listing the files
    try:
        files = os.listdir(requested_path)
        return files, 200
    except FileNotFoundError:
        return "Directory Not Found", 404

This code ensures that users can only list files within the /var/safe_directories/ directory and prevents access to system-critical directories like /etc.