Summary

The ZimaOS API endpoint http://<Zima_Server_IP:PORT>/v3/file?token=<token>&files=<file_path> is vulnerable to arbitrary file reading due to improper input validation. By manipulating the files parameter, authenticated users can read sensitive system files, including /etc/shadow, which contains password hashes for all users. This vulnerability exposes critical system data and poses a high risk for privilege escalation or system compromise.

Details

The vulnerability occurs because the API endpoint does not validate or restrict file paths provided via the files parameter. An attacker can exploit this by manipulating the file path to access sensitive files outside the intended directory.

PoC

1. Authenticate to the ZimaOS API and obtain a valid session token.
2. Use the following request to manipulate the files parameter and read sensitive system files:
   GET http://<Zima_Server_IP:PORT>/v3/file?token=<token>&files=%2Fetc%2Fshadow
   Response

root:$6$abcd1234$...
user1:$6$efgh5678$...

The response includes the contents of the /etc/shadow file, which holds password hashes for system users.

YouTube Video PoC

Unlisted YouTube PoC Link

Impact

1. Privilege Escalation: The ability to read sensitive system files, such as /etc/shadow, exposes password hashes, which could lead to password cracking and privilege escalation.
2. Data Exposure: Attackers could access configuration files, database credentials, or other sensitive information stored on the server.
3. System Compromise: Exposing critical files increases the risk of full system compromise, potentially allowing attackers to gain administrative control over the server.

Recommendation

1. Input Validation: Implement strict input validation to ensure that the files parameter can only reference files within a safe, predefined directory. Avoid allowing direct input of file paths from the user.
2. Path Traversal Mitigation:Sanitize the files parameter by removing or blocking special characters such as ../ that may allow directory traversal.Resolve the file path and ensure it is contained within an allowed directory before allowing access.
3. Access Control: Restrict access to sensitive system files such as /etc/shadow by using file access control mechanisms to ensure that only authorized processes or users can access them.
4. Logging and Monitoring: Monitor file access attempts for unusual patterns, such as multiple requests for sensitive files, and generate alerts when suspicious activity is detected.

Possible Fix Code:

Here’s an example code snippet that restricts file access to a specific directory and prevents path traversal in Python:

import os

def get_safe_file(file_path):
    # Define the base directory where files are allowed to be read
    base_dir = "/var/safe_directory/"
   
    # Normalize and validate the requested file path
    requested_file = os.path.realpath(os.path.join(base_dir, file_path))
   
    # Check if the file is within the allowed base directory
    if not requested_file.startswith(base_dir):
        return "Access Denied", 403
   
    # Proceed with reading the file
    try:
        with open(requested_file, 'r') as f:
            return f.read(), 200
    except FileNotFoundError:
        return "File Not Found", 404

This code ensures that only files within the /var/safe_directory/ directory can be accessed and prevents traversal outside this directory.