Zoraxy Authenticated Path Traversal Vulnerability Leading to Remote Code Execution

A path traversal vulnerability allowing authenticated users to write arbitrary files outside the configuration directory has been identified in Zoraxy versions prior to 3.3.2. This vulnerability exists in the configuration import endpoint, where the sanitization of zip entry names can be bypassed. Exploiting this issue could lead to remote code execution by creating a malicious plugin. The vulnerability is particularly concerning because, if exploited, it could allow for a full host takeover, especially if the Docker socket is mapped.

Impact

Exploitation of this vulnerability allows for arbitrary file writing, which can be leveraged to execute remote code. Given that the Docker socket might be mapped, this could result in a complete takeover of the host system.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a zip file through the configuration import endpoint. The zip file should be crafted to include a payload that exploits the path traversal vulnerability by embedding '../' sequences. Once the malicious zip file is uploaded, the payload can be executed by manipulating the Zoraxy application environment.

Remediation

Users are advised to update to Zoraxy version 3.3.2 or later, where this vulnerability has been patched.