Advisory CVE-2021-41551 Leostream Connection Broker – Authenticated Zip Slip

by | Jan 26, 2022 | Research, Security Bug, Vulnerability

Software: Leostream Connection Broker
Affected Versions: 9.0.40.17
Vendor page: https://leostream.com/
CVE Reference: CVE-2021-41551
Published: 25/01/2022
Attack Vector: path traversal, authenticated
Credits: Andrei Constantin Scutariu, Lenk Ratchakrit Seriamnuai, Andrea Malusardi

Summary

Leostream Connection Broker 9.0.40.17 allows administrators to conduct directory traversal attacks by uploading a ZIP file that contains a symbolic link.

Mitigation

The Leostream has released a patch for this vulnerability, JUMPSEC recommend upgrading the affected versions to this new version as soon as possible. Leostream’s advice and release notes can be found here.

Technical details

For achieving local file inclusion, an attacker with administrator access to the application – or access as a custom role allowing TPC uploads – can upload zip files to be extracted in the web server directory. The attackers uploaded zip file should be created with a symbolic link by executing “ln -s /etc/passwd passwd”, which can then be zipped using “zip –symlink -r upload.zip passwd” to create the archive. After supplying the zip file to the application, the archive will be extracted and the target file (in this case /etc/passwd) will be accessible in the /tpc/ directory of the web server, in this example /tpc/passwd.

Timeline

10/09/2021: Issue reported to the vendor
10/09/2021: Vendor acknowledged the issues
22/09/2021: CVE number assigned from MITRE
16/10/2021: The security patch was released by Leostream
25/01/2021: Advisory published by JUMPSEC

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

GitHub Activity

 

Follow JUMPSECLabs

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

You may also like…

Can Depix deobfuscate your data?

In this post, Caleb explores Depix and its potential to recover sensitive text from reports that were redacted by the original authors.

Share This