OpenRefine's Zip Slip Vulnerability Could Let Attackers Execute Malicious Code
2.10.23 Vulnerebility The Hacker News
A high-severity security flaw has been disclosed in the open-source OpenRefine data cleanup and transformation tool that could result in arbitrary code execution on affected systems.
Tracked as CVE-2023-37476 (CVSS score: 7.8), the vulnerability is a Zip Slip vulnerability that could have adverse impacts when importing a specially crafted project in versions 3.7.3 and below.
"Although OpenRefine is designed to only run locally on a user's machine, an attacker can trick a user into importing a malicious project file," Sonar security researcher Stefan Schiller said in a report published last week. "Once this file is imported, the attacker can execute arbitrary code on the user's machine."
Software prone to Zip Slip vulnerabilities can pave the way for code execution by taking advantage of a directory traversal bug that an attacker can exploit to gain access to parts of the file system that should be out of reach otherwise.
The attack is built on two moving parts: a malicious archive and extraction code that does not perform adequate validation checking, which can allow for overwriting files or unpacking them to unintended locations.
The extracted files can either be invoked remotely by the adversary or by the system (or user), resulting in command execution on the victim's machine.
The vulnerability identified in OpenRefine is along similar lines in that the "untar" method for extracting the files from the archive enables a bad actor to write files outside the destination folder by creating an archive with a file named "../../../../tmp/pwned."
Following responsible disclosure on July 7, 2023, the vulnerability has been patched in version 3.7.4 released on July 17, 2023. "The vulnerability gives attackers a strong primitive: writing files with arbitrary content to an arbitrary location on the filesystem," Schiller said. "For applications running with root privileges, there are dozens of possibilities to turn this into arbitrary code execution on the operating system: adding a new user to the passwd file, adding an SSH key, creating a cron job, and more." The disclosure comes as proof-of-concept (PoC) exploit code has surfaced for a pair of now-patched flaws in Microsoft SharePoint Server – CVE-2023-29357 (CVSS score: 9.8) and CVE-2023-24955 (CVSS score: 7.2) – that could be chained to achieve privilege escalation and remote code execution. It also follows an alert from Cyfirma warning of a high-severity bug in Apache NiFi (CVE-2023-34468, CVSS score: 8.8) that allows remote code execution via malicious H2 database connection strings. It has been resolved in Apache NiFi 1.22.0. "The impact of this vulnerability is severe, as it grants attackers the ability to gain unauthorized access to systems, exfiltrate sensitive data, and execute malicious code remotely," the cybersecurity firm said. "An attacker could exploit this flaw to compromise data integrity, disrupt operations, and potentially cause financial and reputational damage."