Delta Electronics is a well-known manufacturer of industrial automation and power management devices. Their InfraSuite Device Master is a popular tool used to centralize and manage various power devices, often deployed in critical infrastructure settings like data centers.

In late 2022, a serious security vulnerability—CVE-2022-41772—was discovered in InfraSuite Device Master, affecting versions 00.00.01a and prior. This flaw allows attackers to exploit how the application handles .ZIP archives containing special characters, specifically for path traversal attacks. When this is abused, it can lead to remote code execution (RCE)—enabling an attacker to run their own code on the targeted system.

In this exclusive deep dive, we explain how the vulnerability works, show you a code example, and provide references for further reading.

What Is Path Traversal?

Path traversal attacks let hackers access files and directories that are outside the intended folder. This is typically achieved by inserting sequences like ../ in filenames, which tell the filesystem to move "up" a directory.

For example

goodfile.txt   --> extracts to: C:\Program Files\DeviceMaster\goodfile.txt
../../evil.exe --> extracts to: C:\evil.exe   (outside the expected folder!)

If an application extracts files from archives (like .ZIP files) without sanitizing the paths, an attacker can sneak their own files anywhere on the system accessible by the application's user.

CVE Details

- CVE ID: CVE-2022-41772

Attack Vector: Specially crafted .ZIP archive uploaded to the server

Exploit scenario:  
An attacker with the ability to upload a ZIP file to the Device Master server can place executable payloads on the filesystem, like dropping a backdoor or replacing key application files.

How the Exploit Works

The vulnerable application extracts ZIP files without checking for dangerous paths. Here’s a simplified step-by-step of an attack:

Attacker crafts a ZIP archive

The ZIP contains a file with a path like ../../Windows/System32/cmd.exe, or ../evil.bat.

ZIP is uploaded to Device Master

The attacker finds a feature (maybe a backup restore or module upload function) that accepts ZIP archives.

Application extracts ZIP

The software extracts files without sanitizing the paths, allowing payloads to overwrite or drop files anywhere the Device Master service account has access.

Remote Code Execution

The attacker can then trigger the malicious file, for example, by uploading a malicious script and accessing it over the web, or replacing an application executable that runs automatically.

Proof of Concept Code

Here’s a simple Python script showing how you might create a malicious ZIP file designed for directory traversal:

import zipfile

# Name of your malicious ZIP
zipfilename = "exploit.zip"

# This file will be dropped outside the expected folder!
malicious_filename = "../../evil.bat"  # For windows

# The payload: a simple command, could be anything
payload = b"@echo off\necho Hello from exploit > C:\\pwned.txt\n"

with zipfile.ZipFile(zipfilename, 'w') as z:
    z.writestr(malicious_filename, payload)

print(f"Created malicious ZIP: {zipfilename}")

What this does

- Creates a ZIP that, if extracted naively by the application, will drop evil.bat two directories up from the intended extraction path.

Exploitation Example

Let’s say Device Master provides a backup restore feature that takes in a ZIP file. An attacker could:

1. Upload a ZIP with ../../evil.exe and their code inside.

The backup restore process extracts all contents. The malicious file lands in C:\.

3. Attackers can then try to trigger execution of evil.exe remotely (for example, by accessing a URL or waiting for a scheduled task to run it).

If the service runs as Administrator, the attacker has full control over the system.

- An attacker gaining code execution could disrupt power management systems, plant backdoors, or sabotage operations.
- This type of attack can be delivered remotely if there’s any file upload capability accessible over the network.

References

- CVE-2022-41772 Official Page (NVD)
- ZDI Advisory (ZDI-22-1503)
- Delta Electronics Advisory

Conclusion

CVE-2022-41772 shows how important it is for developers to avoid naive file extraction in sensitive applications. As this case demonstrates, a single unchecked ZIP can mean a full compromise. If you use Delta Electronics InfraSuite Device Master, patch now and always sanitize paths when processing archives.

Timeline

Published on: 10/31/2022 20:15:00 UTC
Last modified on: 11/02/2022 14:04:00 UTC