Advisory CVE-2021-41551 Leostream Connection Broker – Authenticated Zip Slip

Software: Leostream Connection Broker
Affected Versions: 9.0.40.17
Vendor page: https://leostream.com/
CVE Reference: CVE-2021-41551
Published: 25/01/2022
Attack Vector: path traversal, authenticated
Credits: Andrei Constantin Scutariu, Lenk Ratchakrit Seriamnuai, Andrea Malusardi

Summary

Leostream Connection Broker 9.0.40.17 allows administrators to conduct directory traversal attacks by uploading a ZIP file that contains a symbolic link.

Mitigation

The Leostream has released a patch for this vulnerability, JUMPSEC recommend upgrading the affected versions to this new version as soon as possible. Leostream’s advice and release notes can be found here.

Technical details

For achieving local file inclusion, an attacker with administrator access to the application – or access as a custom role allowing TPC uploads – can upload zip files to be extracted in the web server directory. The attackers uploaded zip file should be created with a symbolic link by executing “ln -s /etc/passwd passwd”, which can then be zipped using “zip –symlink -r upload.zip passwd” to create the archive. After supplying the zip file to the application, the archive will be extracted and the target file (in this case /etc/passwd) will be accessible in the /tpc/ directory of the web server, in this example /tpc/passwd.

Timeline

10/09/2021: Issue reported to the vendor
10/09/2021: Vendor acknowledged the issues
22/09/2021: CVE number assigned from MITRE
16/10/2021: The security patch was released by Leostream
25/01/2021: Advisory published by JUMPSEC