Scada-LTS Zip Slip Arbitrary File Write Vulnerability Analysis

Key Information Vulnerability Type: Scada-LTS Zip Slip Arbitrary File Write Submitter: sh7err@vEcho Tested Revision: commit 1cfaed4b35117e4871bc3dfeae073f61d8e3bb3d (branch: develop) Summary: - Scada-LTS contains a Zip Slip-style path traversal vulnerability in its project import functionality. - By providing a specially crafted ZIP archive, an authenticated administrator can trick the server into writing attacker-controlled files outside the intended directories (such as uploads/ and graphics/). - The issue stems from insufficient normalization and validation in ZIPProjectManager.restoreFiles, as well as lax path checks in PathSecureUtils and SafeZipFileUtils. - Successful exploitation allows arbitrary file overwrites anywhere under Common.getHomeDir() (typically the Tomcat base directory). - Attackers can compromise the user interface, inject malicious SVGs to achieve stored XSS, or modify resources served to other users. Product & Versions: - Product: Scada-LTS - Affected Versions: All versions released up to and including commit 1cfaed4b35117e4871bc3dfeae073f61d8e3bb3d. - Fixed Version: Not yet fixed Vulnerability Details: - Root Cause Analysis: 1. The ZIPProjectManager.java source code traverses ZIP entries during import and delegates to UploadFileUtils.filteringUploadFiles/filteringGraphicsFiles for filtering before calling restoreFiles. 2. restoreFiles (line 179) ultimately resolves file paths via PathSecureUtils.toSecurePath() and writes the file, without further checks if an optional result exists. 3. PathSecureUtils.toSecurePath() constructs an absolute path by simply concatenating the input to Common.getHomeDir() before returning, allowing files to be written anywhere under the base directory if the provided path contains traversal segments (e.g., uploads/../../../webapps/Scada-LTS/assets/logo.png). 4. Preventive checks in SafeZipFileUtils.validate() rely on ValidationPaths.validatePath(), which always reports success, thus failing to block traversal sequences. 5. UploadFileUtils.isToUploads() only verifies the file’s MIME type (e.g., PNG, SVG, info.txt), and does not prevent directory traversal. - Proof of Concept: 1. Log in to Scada-LTS as an administrator. 2. Create a ZIP archive containing payload files located outside the intended directories. 3. In the web interface, navigate to System → Import and upload the malicious ZIP archive. 4. After import, verify that files have been overwritten with attacker-controlled images, confirming arbitrary file write. Impact: - Persistent disruption or phishing attacks can be achieved by replacing UI assets. - If malicious SVGs or other interpretable resources are placed in web-accessible locations, stored XSS may be triggered. - Further exploitation can be enabled by overwriting configuration, template files, or other static resources delivered to operators. Remediation Guidance: - Treat all ZIP entry names as untrusted input. After resolving to a canonical path (File#getCanonicalPath()), ensure it starts with the expected uploads/graphics base directory before writing the file. - Strengthen SafeZipFileUtils/ValidationPaths to reject traversal tokens (.., absolute paths, drive letters) instead of blindly accepting normalize() results. - Optionally, maintain an explicit whitelist of allowed subdirectories and file types. Discoverer: sh7err@vEcho

Goal Reached Thanks to every supporter — we hit 100%!

Scada-LTS Zip Slip Arbitrary File Write Vulnerability Analysis

More from this source