ZimaOS Unauthorized File Creation in Restricted System Directories via API

A vulnerability in ZimaOS version 1.5.2-beta3 allows users to bypass frontend restrictions and create files or directories in sensitive system paths in internal OS directories. This is possible through the API, which fails to properly validate target paths, enabling unauthorized write access to critical directories such as /etc and /usr. As a result, the integrity and security of the host system can be severely compromised, with potential consequences including remote code execution, privilege escalation, service disruption, and server takeover.

Impact

Exploitation of this vulnerability leads to unauthorized write access in critical system directories, with severe implications for the host system's integrity and security. Additionally, according to the CVE details, this vulnerability could be exploited to gain remote code execution.

Reproduction

To reproduce this vulnerability, create a folder through the ZimaOS frontend interface and observe the API request used for folder creation. Then, intercept this request and modify the path parameter to target a restricted system directory, such as /etc or /usr. Send the modified request, and the API will accept it, creating the folder or file in the restricted directory.

Remediation

It is recommended to implement server-side path validation and canonicalization, restrict file operations to a predefined base directory, reject any paths containing traversal sequences or system directories, and apply strict allowlist-based directory access control.