Summary
Siyuan is vulnerable to RCE. The issue stems from a "Zip Slip" vulnerability during zip file extraction, combined with the ability to overwrite system executables and subsequently trigger their execution.
Steps to reproduce
- Authenticate
- Create zip slip payload with path traversal entry
../../../../opt/siyuan/startup.sh. startup.sh contains malicious code like:
#!/bin/sh
echo 'you have been pwned' > /siyuan/workspace/data/pwned.txt
echo "pandoc 3.1.0"
- Upload zip to workspace via
/api/file/putFile
- Extract zip via
/api/archive/unzip, overwrites the existing executable startup.sh while maintaining the +x permission
- Trigger execution by calling
/api/setting/setExport with pandocBin=/opt/siyuan/startup.sh. This calls IsValidPandocBin() which executes startup.sh --version that outputs "pandoc 3.1.0" and executes any arbitrary malicious code
References
sebastianosrt Reporter
Summary
Siyuan is vulnerable to RCE. The issue stems from a "Zip Slip" vulnerability during zip file extraction, combined with the ability to overwrite system executables and subsequently trigger their execution.
Steps to reproduce
../../../../opt/siyuan/startup.sh. startup.sh contains malicious code like:/api/file/putFile/api/archive/unzip, overwrites the existing executablestartup.shwhile maintaining the +x permission/api/setting/setExportwithpandocBin=/opt/siyuan/startup.sh. This callsIsValidPandocBin()which executesstartup.sh --versionthat outputs "pandoc 3.1.0" and executes any arbitrary malicious codeReferences