CVE-2022-43451 - Path Traversal Attack in OpenHarmony Allows Local Sandbox Escape and Arbitrary Directory Creation

Path traversal vulnerabilities remain a serious threat to the security of modern operating systems and services. One notable example is CVE-2022-43451, which affects versions up to OpenHarmony-v3.1.2. This long read aims to give you a clear and detailed look at the vulnerability, how it works, and why it’s dangerous, with code snippets and exploitation insights. If you’re running OpenHarmony or are curious about system security, this is for you.

What Is OpenHarmony, and Where’s the Problem?

OpenHarmony is an open-source operating system for smart devices. Like many OS platforms, it has system services that handle application launching—in this case, appspawn and nwebspawn. These services run with higher privileges and are supposed to keep applications in their sandboxed environment for security.

But up to version v3.1.2, OpenHarmony has a multiple path traversal vulnerability (CVE-2022-43451) in these services. This means a local attacker (someone with just ordinary user access) can manipulate file paths in a way that lets them escape their restricted environment or even create directories anywhere on the filesystem. Worse, if chained with other bugs, it opens the path to full root access.

Path Traversal 101

A path traversal attack happens when software doesn’t safely process file or directory path input. For example:  
- Good path: /data/app/com.example.myapp/output.log  
- Bad path: ../../../../etc/passwd  

If unchecked, this lets an attacker climb the directory tree and read or write restricted files.

Where Did OpenHarmony Go Wrong?

In the vulnerable versions, the appspawn and nwebspawn services did not properly sanitize or validate user-supplied paths. Instead, they might accept input containing dangerous sequences like .. (parent directory), blindly concatenating them with system paths.

Here’s a simplified code example that shows the problem

// Pseudocode based on OpenHarmony's service logic

void CreateAppDirectory(const std::string &appName, const std::string &dirPath) {
    std::string fullPath = "/data/app/" + appName + "/" + dirPath;
    mkdir(fullPath.c_str(), 0755);
}

Now, if an attacker passes something like ../../../etc/hacked_dir as the dirPath, the fullPath becomes /data/app/appname/../../../etc/hacked_dir, which the filesystem resolves to /etc/hacked_dir. That’s not supposed to happen.

If you’re a local attacker, here’s how you could exploit CVE-2022-43451

1. Locate a Feature to Create Files/Directories:

Submit a Malicious Path:

Instead of a regular folder, submit directory names containing ../ sequences (like ../../../home/root/evil).

Service Creates Arbitrary Directory:

The vulnerable appspawn or nwebspawn service creates the directory outside of the allowed sandbox, potentially anywhere in the filesystem.

Optional—Chaining:

If there’s another vulnerability, such as one allowing execution of custom files or privilege escalation, you can use this path traversal to drop attack scripts or tools in sensitive locations—leading to root access.

Real Attack Example

Let’s say you’re running on a device with OpenHarmony v3.1.2 and you’re a regular app developer or attacker. You find a way to trigger directory creation through the vulnerable service.

Attack Script

import os

# This would normally require calling the service, but here’s the attacker’s input:
malicious_dir = "../../../tmp/attacker_owned"
os.system(f"openHarmony_create_dir {malicious_dir}")

After running, /tmp/attacker_owned exists—even though the app is not supposed to write outside its own subdirectory.

If the attacker can later trick the system into running a script from /tmp/attacker_owned as root, they’ve achieved privilege escalation.

Why This Is Serious

- Sandbox Escape: Apps are supposed to be locked to their own bit of disk. With CVE-2022-43451, that guarantee is broken.
- Arbitrary Directory Creation: Attackers can clutter the system with folders, overwrite important config files, or set up for further attacks.
- Chaining = Full Compromise: Combined with an LPE (Local Privilege Escalation) or code execution bug, an attacker could take over the entire operating system.

Upgrade: If you use OpenHarmony, update to v3.2. or later where this bug is patched.

- Sanitize Input: Always use functions like realpath() to clean up user-supplied paths, and never allow .. or absolute paths in directory creation features.
- Monitor System Changes: Watch for unexpected directories and files in sensitive system locations—especially those linked to app activities.

References

- CVE-2022-43451 @ NVD
- OpenHarmony Security Updates
- Path Traversal Exploits: OWASP Guidance

Final Thoughts

CVE-2022-43451 is a classic example of path traversal—but with real-world consequences for any system relying on OpenHarmony. It shows the importance of strict input validation, especially in privileged system services. If you’re a developer or system administrator, check your versions and update ASAP. Stay safe!


*(This writeup is exclusive for educational purposes—do not attack systems you don’t own or have permission to test.)*

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/07/2022 02:16:00 UTC