efw4.X File Unzipping Vulnerability Leading to Remote Code Execution

A remote code execution vulnerability exists in efw4.X versions prior to 4.08.010. The issue arises in the file management component, where the unzipping function writes zip entries to disk without proper path validation. This flaw allows an attacker to craft a zip file that escapes the intended extraction directory and places a malicious JSP web shell in a location writable by the Tomcat process, such as the servlet context root. Once the web shell is uploaded, the attacker can execute arbitrary commands on the server as the Tomcat user.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed commands running under the Tomcat user account.

Reproduction

To reproduce this vulnerability, create a zip file containing a JSP web shell. The zip file should be crafted to include a file named with a path traversal sequence that escapes the extraction directory, such as '../../../pwned.jsp'. Once the zip file is uploaded to the server via the multipart upload servlet, the file manager's unzipping function will extract the web shell into a location accessible to the Tomcat process. After unzipping, the web shell can be accessed through the servlet context root, and commands can be executed on the server.

Remediation

Users should update to efw4.X version 4.08.010 or later, where this vulnerability has been patched.