Source: cna@vuldb.com
A vulnerability has been found in HummerRisk up to 1.5.0. This issue affects the function extractTarGZ/extractZip of the file hummer-common/hummer-common-core/src/main/java/com/hummer/common/core/utils/CommandUtils.java of the component Archive Extraction. The manipulation leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
HummerRisk version 1.5.0 and prior is vulnerable to a critical path traversal vulnerability, allowing attackers to write arbitrary files to the server. This remote exploit, disclosed publicly, could lead to complete system compromise and data exfiltration due to the vendor's lack of response.
Step 1: Payload Creation: The attacker crafts a malicious .tar.gz or .zip archive. This archive contains files with filenames that utilize path traversal sequences (e.g., ../../../etc/passwd).
Step 2: Payload Upload: The attacker uploads the malicious archive to the vulnerable HummerRisk application, likely through a file upload functionality.
Step 3: Archive Extraction: The application's extractTarGZ or extractZip function is triggered, processing the uploaded archive.
Step 4: Path Traversal: The vulnerable function extracts the files from the archive, failing to sanitize the filenames. The path traversal sequences in the filenames cause the files to be written to unintended directories, potentially overwriting critical system files or creating new files in sensitive locations.
Step 5: System Compromise: Depending on the files written, the attacker can achieve various goals, including gaining remote code execution (e.g., by writing a web shell), escalating privileges, or exfiltrating sensitive data.
The vulnerability lies within the extractTarGZ and extractZip functions in CommandUtils.java. These functions likely fail to properly sanitize or validate filenames extracted from archive files (tar.gz or zip). Specifically, the code likely uses a library or method to extract files from the archive without adequately checking for path traversal sequences (e.g., ../). This allows an attacker to craft a malicious archive containing files with filenames designed to write to arbitrary locations on the server's filesystem. The root cause is a lack of input validation and sanitization of the filenames extracted from the archive, leading to a directory traversal vulnerability. The use of a command-line utility or a library that doesn't properly handle relative paths within the archive is also a likely contributing factor.
While no specific APTs are directly linked in the provided information, the public disclosure and ease of exploitation make this vulnerability attractive to a wide range of attackers, including those seeking to establish initial access or escalate privileges. The lack of vendor response increases the risk of widespread exploitation. Not currently listed on CISA KEV, but should be considered for inclusion.
Monitor file system activity for unexpected file creations or modifications, especially in sensitive directories like /etc, /var/www, or application directories.
Analyze web server logs for suspicious file upload attempts, particularly those involving .tar.gz or .zip files.
Implement file integrity monitoring (FIM) to detect unauthorized changes to critical system files.
Network traffic analysis for unusual patterns associated with file uploads and downloads, especially to and from the vulnerable application.
Review application logs for errors or warnings related to archive extraction, which might indicate exploitation attempts.
Implement Input Validation: Thoroughly validate and sanitize all filenames extracted from archive files. This should include checking for path traversal sequences (e.g., ../) and other malicious characters.
Use Secure Archive Extraction Libraries: Utilize secure and well-vetted libraries or methods for archive extraction that inherently handle path traversal vulnerabilities, or implement custom logic to prevent it.
Restrict File Write Permissions: Limit the application's write permissions to only the necessary directories. This will reduce the impact of a successful exploit.
Regularly Update Dependencies: Ensure that all dependencies, including archive extraction libraries, are up-to-date with the latest security patches.
Implement Web Application Firewall (WAF): Deploy a WAF to detect and block malicious requests, including those attempting to exploit path traversal vulnerabilities.
Monitor and Log: Implement robust logging and monitoring to detect and alert on suspicious activity related to file uploads and archive extraction.