AGL App Framework Main Zip Slip Path Traversal Vulnerability Leading to Arbitrary File Write and Code Execution

A Zip Slip path traversal vulnerability combined with a TOCTOU race condition has been identified in the AGL app-framework-main version 17.1.12 and prior, within the widget installation process. The vulnerability arises because the is_valid_filename function in wgtpkg-zip.c only blocks absolute paths and fails to validate ZIP entry names against dot notation directory traversal sequences. This oversight allows crafted ZIP files to exploit the zread extraction function, which writes files anywhere on the filesystem relative to the work directory. Notably, the extraction occurs before signature verification, enabling the installation of potentially malicious widgets. If signature verification fails, only the temporary files in the work directory are removed, leaving behind any files written through the path traversal vulnerability.

Impact

Exploitation of this vulnerability allows for arbitrary file write capabilities, with the potential for code execution, due to the privileged context in which the widget installation occurs.

Remediation

It is recommended to normalize and validate all archive entry paths against the target directory before extraction.