CTFd Zip Slip Vulnerability in Admin Import Functionality Allowing Arbitrary File Write

A zip slip vulnerability has been identified in CTFd versions prior to 3.8.2, specifically within the admin import feature. This vulnerability allows attackers to write arbitrary files outside of designated directories by uploading a crafted zip file. The issue arises in the 'filesystem' uploader, particularly when using the default 'docker-compose.yml' provided by CTFd, which can lead to the execution of arbitrary code under certain conditions.

Impact

Exploitation of this vulnerability allows for arbitrary file writes as the CTFd process user, which is typically root. This can create a persistent backdoor by writing to the .bashrc file, with the backdoor surviving container restarts and the files persisting on the host through bind mounts.

Reproduction

To reproduce this vulnerability, upload a malicious zip file through the admin import feature that exploits the zip slip vulnerability by writing files outside the intended directories. Ensure that the CTFd instance is running in a Docker container with the default 'docker-compose.yml' configuration, which switches to the root user.

Remediation

CTFd users are advised to update to version 3.8.2 or later. The latest version can be downloaded from the CTFd GitHub releases page.