In September 2022, a significant security bug, CVE-2022-40977, was discovered in the Pilz PASvisu Server (before version 1.12.). This flaw enables attackers to perform a dangerous attack known as “path traversal” or the notorious “zip-slip” using a zipped configuration file. In this post, we’ll break down what this means, view code snippets, analyze why it happens, and show just how an unauthenticated remote attacker can abuse it.
Write arbitrary files anywhere the server has access—possibly overwriting critical files.
This can actually happen even if the attacker isn’t logged in (unauthenticated), because the import function was open.
Pilz PASvisu is an HMI (Human Machine Interface) platform used in lots of critical industrial environments, so an attacker could potentially disrupt or fully control processes controlled by the server.
How Does the “Zip-Slip” Vulnerability Work?
This vulnerability occurs when ZIP extractions do not sanitize filenames inside ZIP archives. ZIP entries (file paths) like ../../../etc/passwd are meant to break out of the target directory.
Here’s a simple example in Python
import zipfile
def unsafe_extract(zip_path, extract_to):
with zipfile.ZipFile(zip_path, 'r') as z:
z.extractall(extract_to) # Vulnerable to zip-slip!
If the ZIP file contains a file like this
../../../tmp/pwned.txt
the file could be extracted outside the intended directory, anywhere the server user can write!
1. Creating a Malicious ZIP File
Suppose an attacker wants to overwrite the C:\Windows\System32\drivers\etc\hosts file on the Pilz PASvisu server (on Windows):
- Create a ZIP archive with an entry like ../../../Windows/System32/drivers/etc/hosts
Here’s how you can do that with Python
import zipfile
zip_path = "evil.zip"
with zipfile.ZipFile(zip_path, 'w') as z:
# File escapes three directories upward, then writes inside Windows dir.
z.writestr("../../../Windows/System32/drivers/etc/hosts", b"127...1 badsite.com")
On Linux, an equivalent path might target /etc/passwd as ../../../../etc/passwd.
2. Sending the ZIP to the Vulnerable Server
The attacker would upload this ZIP (using the Pilz PASvisu’s configuration import interface, which DOES NOT require authentication in versions <1.12.). Once extracted, the payload overwrites the intended files.
The server’s ZIP extraction routine will naïvely write files wherever the ZIP says.
- System integrity, sensitive configs, or further escalation (e.g., writing a webshell or modifying a user’s config file) is now possible.
Secure Code: How Should It Be Done?
To avoid this, always check ZIP entry paths before extracting. Never allow .. (upward traversal) or absolute paths.
Example secure extract function
import os
def safe_extract(zip_path, extract_to):
with zipfile.ZipFile(zip_path, 'r') as z:
for member in z.infolist():
# This cleans up the path
normalized = os.path.normpath(member.filename)
if '..' in normalized or os.path.isabs(normalized):
print(f"Blocked zip-slip attempt: {member.filename}")
else:
z.extract(member, extract_to)
Reference:Python zip extraction best practices
Official References & Fix
- Pilz Security Advisory:
> "An unauthenticated remote attacker can trigger arbitrary file writes ('zip-slip') by providing a zipped malicious configuration file. Affected version(s): PASvisu Server before 1.12.."
- NIST CVE Database Entry
- Pilz PASvisu Server product page
Patched in Pilz PASvisu Server 1.12.. Update immediately if you’re using an older version.
If you run Pilz PASvisu Server < 1.12., update ASAP.
CVE-2022-40977 is a classic path traversal bug with serious consequences. It is now widely recognized, but you’d be surprised how many critical systems (especially in industrial/IoT) forgot secure ZIP handling! Don’t get caught out.
Stay secure. Want more?
- How Zip Slip Works (Snyk)
- OWASP: Path Traversal
Note: This write-up is an exclusive, original explanation meant to simplify a real-world vulnerability for a wider audience.
Timeline
Published on: 11/24/2022 10:15:00 UTC