MarkUs Zip Slip Vulnerability in Assignment Configuration Upload Allows Remote Code Execution

A critical zip slip vulnerability has been identified in MarkUs versions prior to 2.9.1. Instructors can upload zip files to create assignments from exported configurations. The application does not properly validate zip file entry names, allowing for arbitrary file writes on the server. This issue can be exploited to execute remote code if the uploaded files are written to application directories.

Impact

Exploitation of this vulnerability allows for arbitrary file writes on the server, which can lead to remote code execution, especially if the files are placed in application directories.

Reproduction

To reproduce this vulnerability, upload a zip file containing malicious payloads to the 'assignments/upload-config-files' route. The zip file can include entries that exploit the zip slip vulnerability by traversing directories and overwriting files in the application's file structure. After uploading, the extracted files can be executed, demonstrating the remote code execution aspect of the vulnerability.

Remediation

Users are advised to upgrade to MarkUs version 2.9.1, which addresses this vulnerability by verifying zip entry names and removing insecure routes. For additional security, limit the file permissions of the process running the MarkUs application.